Written by: Brian Young
Wes Stillman is the chief executive officer of RightSize Solutions , a provider of cybersecurity and technology management services for wealth management firms. We have asked Wes to share a few tips on cybersecurity for RIAs:
Cybersecurity is a growing concern, and recently has become a hot button issue amongst business publications and consumer national news. Regulatory boards that monitor the financial services industry are taking note to quickly shift accountability to financial advisors.
While these may seem daunting at first glance, the better you plan to address these issues the more prepared you will be for an audit, and equally important, how you’ll respond to an unforeseen incident.
To help you manage this critical aspect of your business's health, success and security, as well as clients personal too, here are 3 proactive steps you can immediately take:
“9 out of 10 organizations do not believe their cybersecurity fully meets their needs.” EY Global Information Security Survey
1. Survey your existing technology environment. You can find easy wins, and avoid pitfalls, by just recognizing your strengths and weaknesses.
The best place to start is by looking at what you already have. Take an inventory of what policies, software and hardware your firm utilizes. Where are your weak points? Consider the business partnerships and data exchanges your company executes on a daily basis. In today’s interconnected business environment, our data supply chains create many access points to your customers’ data. Make sure you are doing your part to protect these connections. Understand and document how your partners are protecting your clients’ data. Some partners, like your custodian, may offer tools and assistance for improving your security. As a last line of defense, check your Errors and Omissions Insurance, many policies now include or require cybersecurity. If yours does not, consider a standalone Cyber-insurance policy. Keep in mind, having insurance protection is important, but it does not negate the need for proper processes and procedures in place.
“62% of cyber-breach victims are small to mid-size businesses, which are at the greatest risk for an attack. Their level of preparation is low, and the costs of customer notification alone can be enough to do a small company irreparable financial harm.” PropertyCaualty360
2. Make sure the IT/cybersecurity section of your employee handbook is up-to-date and enforceable
Establish a clear contingency plan for dealing with cybersecurity incidents. Make sure your plan has both preventative and reactive action items. Do you have a clear contingency plan set in place and a process for responding to cyberattacks? Do your employees know what is expected of them? To ensure this, create actionable steps for dealing with employees, clients, partners, members of the press, and police & government. Think about all of the levels of security at your company. Clearly lay out who has access to what and control administrative privileges accordingly (both with internal staff and outsourced vendors). For example, by limiting the ability to install drivers and execute applications can help control what gets onto your systems and prevent attacks like ransomware.
Lastly, recognize the impact of social media and create a policy specific to it. Not only does it distract employees, social media is a direct portal to cyber incidents. RIAs are prime targets for advanced phishing campaigns because much of their personal and business information is available online. Social Media should be monitored for both public and employee comments. Policies should restrict what employees can and/ or should be saying on Social Media accounts. Be sure to include any company social media accounts in your archive process for auditing purposes.
“Elite RIAs are more focused on maximizing their investments in existing technology as well as their partnerships with technology vendors.” InvestmentNews Research and BlackRock Elite RIA Study
3. Empowering your entire company to participate in awareness and rewarding employees when they do, can drastically improve your security
Building a culture of cybersecurity is one of the most important things you can do. Lead by example; regularly discuss cybersecurity in staff meetings and with other internal communication. Employees need to be empowered with knowledge and a shared commitment that goes far beyond the annual ‘check the box’ that you have read and understand the company IT policies. If an incident does occur, let your employees know about it. Not only will it help deter the impact of the incident, it will help your employees develop a team approach to cybersecurity. When employees alert management to mistakes early in the process, they are giving management the opportunity to prevent huge losses of time, data, and money. Specific ways that you can educate employees are by conducting mock cybersecurity drills, scheduling periodic ‘test’ phishing emails or phone calls. Discussions regarding recent and specific documented cases should be had in staff meetings. Question employees directly on how they would individually handle such situations.
In conclusion , the biggest stumbling block for registered investment advisors when it comes to guarding against cybersecurity breaches is not technology-based, it’s a people problem. The right technology is critical, but RIA leaders can face a bigger challenge in fostering a cybersecurity-sensitive culture in a way that resonates throughout all levels of their firms.