Registered Investment Adviser (RIA) Cybersecurity Compliance: A Comprehensive Guide
Learn about regulatory risks, industry best practices and detailed steps to develop and implement an effective cybersecurity plan for your RIA.
Cybersecurity is an increasingly important topic for the wealth management industry, whether we’re talking about managing passwords, identifying phishing attempts or other forms of cyberattacks. If your firm gets hacked, your clients’ sensitive information could be exposed, which can be an expensive experience — both in terms of money and reputation.
No matter what you have in terms of processes, software and systems, it only takes one employee to click on a bad link, have a weak password on their laptop or fail to tell management about a mistake for a cyber breach. Employees who are consistently trained can be your greatest asset and first line of defense in combating cyberattacks and threats.
The SEC recommends all RIA firms offer structured training and education on cybersecurity risks and prevention to all their employees. RIA firms should begin by classifying their employees as either cybersecurity trained or untrained. Then, firms can develop a plan to move each employee from untrained to trained as quickly as possible, to prevent human error.
Without the proper training, your employees may put your firm’s data at risk and not even know it.
How to create a cybersecurity awareness training program for your RIA firm
Here are three key steps to designing a cybersecurity awareness training program:
Step One: Develop content
When it comes to regulatory examinations, you can expect an increased focus on both the content included in your training program and the implementation of your plans. We recommend after your employees receive basic training on cybersecurity information, standards, policies and strategic tools, there should also be some level of role-specific, in-depth training. In other words, basic training and specialty.
- Basic training — Focus on ensuring that all employees understand what is at stake should there be a cybersecurity breach at your RIA firm. Train them on how to spot suspicious emails, how to spot when their computer is acting up, and how to report any unusual activity.
- Specialty training — Focus on cybersecurity best practices or risks specific to an employee’s job function. Some employees need to access more sensitive data than others within the firm. For example, an employee who works in human resources should be aware and have additional cybersecurity training around personal identifiable information (PII), because there is a good chance they have access to this type of information for the firm’s employees.
Another important tip is to enact a “no blame” policy. Employees should feel encouraged to report when they or someone else may have inadvertently done something to put the firm at risk. There should be no repercussions. You will want to know immediately when an employee has opened a suspicious attachment or downloaded something off the internet which may contain a virus. The faster they inform you, the faster you can address the issue.
Step Two: Schedule ongoing cybersecurity training sessions
A training program should be periodic and consistent. Hackers only continue to get more creative and sophisticated over time, meaning you need to keep your employees informed on how to spot new threats to the firm.
Step Three: Make your training program unique to your RIA firm
Since your cybersecurity awareness needs to be consistent and ongoing, shake up how you deliver the training to avoid boredom or burnout. Professionals agree, one of the most effective training methods is a simulated cybersecurity attack set up by your Information Technology (IT) department or an outside company. Employees are expected to react to these attacks in real-time. Afterwards, they’ll receive coaching on how to avoid any mistakes they might make during the drill. Experts recommend rewarding employees who follow these best practices.
Documenting results from these initial steps will demonstrate that your firm is taking needed action to improve your cybersecurity program.
Next, we will highlight the three elements of RIA cybersecurity: people, technology, and vendors.
2. People can be your RIA firm's greatest asset or weakness
As we mentioned above, trained employees are an RIA firm’s greatest asset against cyber attacks. Untrained and uneducated employees remain the weakest link in a firm’s IT security plan. Ensuring your firm has the proper controls and training in place can help mitigate the risk that people pose.
- Controls - It's vital that each individual employee or advisor only has limited access to internal and third-party systems critical to the functionality of their job. Furthermore, only necessary sensitive or nonpublic personal information (NPI) should be housed in any given system (e.g. don't store client account information in all company systems). Lastly, when an employee is terminated, access to all company systems should be immediately stopped. As it relates to access rights and controls, the ultimate goal is to minimize potential damage.
- Training - Employee-related cybersecurity issues relate to improper protection of a company computer or mobile device, poor password management, not properly protecting personal information, not utilizing two-factor authentication, inability to recognize email phishing attacks, unauthorized wire or fund transfers or the use of outdated anti-virus software.
How RIA firms can protect against cyber attacks
With increased sophistication around phishing emails, it is more important than ever to make sure your staff is properly trained to identify a potential fraudulent phishing email.
Here are a few common tips on how to detect a phishing email:
- Don't automatically trust the sender display name.
- The email address is valid, but something looks suspicious.
- Don't click on links contained within an email.
- Check for grammatical and spelling errors.
- Don't download any attachments.
- Don't fall for urgent or action item subject lines.
- No personal information should be sent via email.
Social engineering cyber attack
In a social engineering attack, cyber criminals will research an individual staff member online, looking for publicly available information that can help them answer their personal security questions, decipher their usernames and passwords, or launch an email phishing attack.
Here are a few tips for RIA firm staff members to help protect against investment adviser social engineering
- Do not make social media profiles accessible to the public.
- Be cautious when accepting social media requests.
- Utilize less common online security questions.
- Use different online security questions for different systems.
- Always be wary of providing personal information.
- Don’t be baited by a “lost” physical storage device.
Ransomware cyber attack
In a ransomware cyber attack, hackers look to access personal or company data, block the individual or company's access to certain information, and hold it hostage until a ransom is paid to unlock the data. In other instances, the hacker will threaten to distribute the information publicly if the ransom is not paid.
Here are a few common tips to help protect against RIA ransomware cyber attacks:
- Follow email phishing prevention best practices.
- Be cautious before providing remote access to your computer.
- Make sure up-to-date antivirus software is installed on all network computers.
Client impersonation cyber attack
An RIA firm’s clients may be even more vulnerable to a cybersecurity breach than an RIA firm or its employees. Client impersonation cybersecurity attacks are particularly dangerous to an RIA firm because once a client’s funds are transferred or wired to a third party, there is often little that can be done to retrieve the funds.
To protect against a client impersonation attack, an RIA firm should remember:
- Carefully review client emails before responding or taking action: Since many unauthorized wire requests are initiated by an impersonator sent from your client’s actual email account, you should always be on high alert for anything unusual or suspicious about the email.
- Verbally confirm all wire requests: Your firm’s compliance manual should require all personnel to verbally confirm all wire requests.
- Don’t be pressured into making a mistake: Even if it is a legitimate client wire request, you should never cut corners, even if it may lead to client frustration.
Non-public personal information
RIA firms have access to various personally identifiable financial information for their clients, which constitutes non-public personal information (NPI). For investment advisers, the treatment of this information is governed at a federal level by the SEC's Regulation S-P. Advisory firms should be aware that many states have their own regulations governing protection of NPI and similar data, which are often more protective than federal requirements.
Under federal regulation, NPI generally includes any:
- Information which a consumer provides to obtain a financial service or product from you.
- Information about a consumer resulting from transactions involving a financial service or product.
- Information you otherwise obtain about a consumer in connection with providing a financial service or product to the consumer.
Thankfully, Regulation S-P includes a non-exclusive list of examples of what would be considered NPI. Notable exclusions from non-public personal information include aggregated information or blind data, which does not identify a consumer. That said, most of an RIA firm's technology systems will inevitably contain non-public personal information.
Given both the potential regulatory and reputational risk that the exposure of non-public personal information poses to advisory firms, it is essential to implement policies and procedures, along with staff training to protect NPI.
Many RIA firms store sensitive client information on the firm's network and deploy a bring your own device (BYOD) policy as it relates to computers and mobile devices. While mandatory information security training may be the first critical step in any firm's cybersecurity plan, the next key focus should be on thoroughly securing the firm's network and devices.
- Secure your network with regular vulnerability scans and penetration tests to help mitigate the risk of a potential breach.
- In a BYOD or firm-issued device environment, proper policies and procedures need to be established and implemented to inventory all relevant employee devices and to address encryption and the ability to remotely monitor, track and deactivate remote devices. RIA firms should also be cautious around introducing internet-of-things (IoT) devices to the firm's network, which can provide an unintentional access point to the network and create other client privacy and data security issues.
Technology best practices for RIAs
Encryption is a method of protecting sensitive information from access from unauthorized third parties while the data is “in transit” (e.g. via email) or “at rest” (e.g. stored on a laptop computer’s hard drive).
Though it’s unlikely an RIA will find a regulatory compliance rule which explicitly requires the use of encryption, it is a common focus area during cybersecurity-related regulatory examinations. As such, RIA firms should consider two areas of encryption:
- Electronic communication: In this risk alert, the SEC’s Division of Examinations noted “staff observed registrants did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails to customers containing personally identifiable information (PII).”
- Device protection: RIA firms should strongly consider deploying encryption technology to protect sensitive information may be held on company devices, such as laptop computers.
We always recommend firms consult with their information technology provider before deploying any encryption method, as there are many factors to consider.
The SEC defines data loss prevention as “a strategy embraced and enforced by an organization to ensure that end users (employees, owners, vendors, etc.) do not send sensitive or critical information outside the corporate network.”
Regulators, such as the SEC, will focus on your firm’s policies and procedures and the execution of security measures to prevent the loss of sensitive client and proprietary firm data. RIA firms will need to demonstrate how their security measures strengthen their ability to identify, monitor and protect data at rest, in use and in transit.
There are three components under the data loss prevention umbrella:
- How does your RIA firm store, access and transmit data? Use the following questions to assess your cybersecurity program:
- In what quantities is data transferred? Is there ever a need to access and/or transmit client or multiple client data in bulk? Are these processes tightly controlled?
- In what fashion is data transferred and for what purposes? Are processes and policies in place to minimize all sensitive data transfers to “business critical” functions? Do all staff know what allowable transfer mechanisms are and what defined circumstances allow such transfers?
- Is it possible to transfer the data to entities outside the firm and to whom, etc.? What processes are in place to verify/authorize outside recipients?
- What processes, procedures and mechanisms are in place to identify and categorize, control and limit access to, and identify misuse of data?
Have your technology support team run reports to clearly define who has access to what. It is generally unacceptable to store data in a manner where everyone has wide-open access to everything.
- Do you have an ongoing process or system to identify, address and remediate known security issues within your network and computer systems?
You should demonstrate how your firm continuously monitors your system for potential vulnerabilities, and how you can patch known vulnerabilities until a long-term solution can be implemented. You should strive to have all systems fully patched within no more than 30 to 45 days of patches being made public.
The SEC began focusing its attention on third-party vendor risks in 2014, urging firms to establish due diligence processes. On Sept. 15, 2015, the SEC Office of Compliance Inspections and Examinations (OCIE) issued a risk alert flagging vendor management as one of six critical cybersecurity focus areas. Subsequent SEC OCIE risk alerts and guidance have also continued to highlight third-party vendor management as a critical cybersecurity risk area.
As more RIA firms migrate to cloud-based technology and vendors, proper vendor management and due diligence is becoming an even more important element of every investment advisory firm's cybersecurity compliance program.
In today's world, investment advisers need to actively mitigate the risk of indirect information security breaches
via a third-party vendor, which leads to the exposure of the RIA firm's NPI or other sensitive information.
- Due diligence - The vendor due diligence process should commence before initially engaging with a third-party vendor and should then continue as part of the firm's vendor risk assessment process. Areas to probe as part of the vendor due diligence process may include the vendor's contract, access controls, business continuity plan, third-party security reviews, history of past information security incidents and use of any other third-party vendors or outside contractors themselves.
- Mitigation - While third-party vendor risk cannot realistically be completely eliminated, thoughtful RIA firms can work to mitigate the risk any single vendor poses to the firm and its clients. While some key vendors, such as customer relationship management or portfolio management and reporting software may need access to high levels of sensitive client data, it may not be necessary for other less critical vendors to have access to NPI. RIA firms should ensure vendors only have access to the minimal level of sensitive data needed to deliver their service.
Does your firm conduct enough due diligence to ensure your clients' NPI is secure? It is imperative for investment advisers to heighten their awareness and due diligence standards to identify areas of potential risk with
Challenges advisory firms can face conducting vendor due diligence include:
- Identifying the correct contact at a vendor to provide due diligence information.
- Collecting the proper due diligence information and documents.
- Analyzing due diligence documents to verify the vendor will meet or is meeting the needs of the firm.
- Organizing vendor due diligence documents and version control.
- Conducting periodic due diligence reviews in a timely manner.
- Meeting regulatory compliance requirements and guidelines.
An efficient third-party vendor due diligence program will facilitate how firms manage interactions with their vendors. The SEC will evaluate how firms establish and document the processes and procedures to monitor, secure and allow third-party vendors to access their network and sensitive client information. This should include a standardized and documented protocol for performing due diligence, reviewing vendor contracts, a comprehensive vendor selection and approval process, and a system for monitoring their network and data access.
It's important for RIA firms to complete a risk assessment to assess the security levels and policies of vendors.
Investing in a virtual desktop infrastructure
Making technology management decisions for your RIA firm can be daunting. One of the most important decisions you must make is for your firm’s network infrastructure.
What is a Virtual Desktop Infrastructure?
Virtual desktop infrastructure (VDI) is a desktop virtualization technology where the operating system, typically Microsoft Windows, runs and is managed in an on-premises or cloud data center. The virtual desktop image is delivered over a network to the user’s device, such as a PC, tablet, or mobile phone, which allows the user to interact with the operating system and its applications as if running them in the office.
There are three major ways a VDI enables you to leverage your firm’s technology to service clients better:
- Operational efficiency
- No on-site server is needed, saving you significant money depending on your needs and the number of people accessing the network.
- No need to invest in the most feature-rich or fastest processing computers to enable your employees to maximize productivity.
- Your information technology (IT) department or managed service provider can install updates and patches simultaneously, rather than trying to update every employee’s computer.
- VDI makes it easier for firms to rapidly add advisors and support staff quickly and seamlessly.
In moving to a virtual desktop solution, you improve your RIA firm’s ability to meet the cybersecurity risks related to people, technology and third-party vendors.
With this untethered ability to work from anywhere, how do you ensure that you have the applicable security practices and protocols in place to protect your firm’s and your clients’ sensitive data?
Cloud-based systems offer multiple layers of security, far beyond what most businesses can afford on their own. From multi-factor authentication to 24/7 monitoring by cybersecurity experts, anti-virus software and other sophisticated security tools, cloud systems are often more secure than an RIA firm can accomplish with their own internal system.
If you can’t work, you aren’t making money and potentially losing customers. With VDI, your business never has to shut down because it eliminates the need for a physical office.
In general, an RIA firm's policies and procedures manual should outline the series of review activities throughout the year, including an annual compliance review as mandated by Rule 206(4)-7 of the Investment Advisers Act of 1940.
An RIA firm's annual compliance meeting is a great time to review current cybersecurity policies and procedures, implement any changes to a firm's policies and procedures, and provide additional staff training.
A few cybersecurity training areas a firm's CCO can address during the firm's annual compliance meeting include:
- How to identify phishing emails.
- Enforce a strong password management policy.
- Test the business continuity plan.
- Review any changes to cybersecurity policies and procedures.
- Employee reporting of suspicious or potential incidents.
Since staff members pose a significant inadvertent cybersecurity risk to investment advisory firms, the importance of thorough and frequent staff training and education cannot be understated.
Cyber insurance offers an important, often underrated service to RIA firms. In the case of a cyber attack, many small-to-mid-size businesses are at risk of devastating consequences without the proper cyber coverage in place.
When selecting cybersecurity insurance, it’s important to follow the steps you would follow when choosing any other type of insurance — namely, educating yourself, weighing the options and turning to the experts if you need help.
Focusing on these cyber insurance best practices when obtaining coverage will help reduce risks for your RIA firm:
- Educate yourself on cybersecurity rules, regulations and potential exposures and risks.
- Utilize efficient processes.
- Rely on the experts.