When it comes to risk management, cybersecurity should be a top priority for all registered investment adviser (“RIA”) firms. For many investment advisory firms, there is no greater risk to the business than the potential theft or exploitation of sensitive client information. Due to regular technology usage, RIA firms need to be aware of the continuously changing cyber threats by constantly reviewing cybersecurity best practices. In addition, as the Securities and Exchange Commission (“SEC”) conducts routine investment adviser exams, the regulatory expectations related to information security policies and implementation continue to increase.
While far from an exhaustive list, here are a handful of do's and dont's in relation to RIA cybersecurity best practices:
- DO train staff to identify and report suspicious emails
- Never click on links or download attachments from unknown/suspicious senders
- Even if the email is from a known sender such as a client, be cautious if something just does not seem right or if you were not expecting an attachment to be sent
- Be very careful clicking on any emails from a known vendor as it may not be from the actual vendor but rather a malicious attempt from a 3rd party to impersonate the vendor
- If a mistake is made with such an email, ensure that staff is trained and comfortable immediately reporting the incident in order to contain the potential damage
- DO install antivirus software and a network firewall
- Be sure antivirus software is installed on all devices it is always up to date and active at all times
- DO implement information security policies and procedures to prevent and report identify cyber attacks
- Information security policies and procedures are only effective when staff is properly trained
- Conduct information security training on a regular and frequent basis
- All staff members should be trained on what explicit actions to take should an incident occur
- DO utilize two-factor password authentication whenever available
- While not foolproof, this can greatly reduce the risk of a compromised password
- Consider implementing a password manager tool to help deploy two-factor authentication
- DON'T email sensitive information to clients
- Be sure to utilize a secure client portal or encrypted email to deliver sensitive information
- Be careful responding to a client email if the client has provided sensitive information in the original email
- DON'T accept wiring instructions via email
- Always verbally confirm all client wire requests and consider establishing a “secret word” with each individual client to confirm the request.
- Educate clients on the firm’s wire confirmation procedures at the start of a new client relationship to properly set expectations and to explain the policy and rationale in detail.
- DON'T allow staff to access firm’s secure systems while traveling
- Use of public Wi-Fi involves security risks from hackers that can intercept the transfer of sensitive information
- Staff members should utilize a secure virtual private network ("VPN") when traveling
Cyber attacks can cause tremendous financial and reputational damages to an RIA firm. It's important to remember that while installing the proper technology and tools is an important component of a firm's information security plan, the importance of staff training and monitoring cannot be understated.
Below is some past cybersecurity coverage beneficial for all RIA firm principals to review:
- August 2017 SEC Risk Alert Outlines RIA Cybersecurity Best Practices
- Does New York DFS Cybersecurity Rule (23 NYCRR 500) Impact RIA Firms?
- The Greatest RIA Cybersecurity Threat is Your Firm's Staff: What To Do
- Should an RIA firm Utilize a Password Manager Tool?
- Popular Password Manager Tools for RIA Firms to Consider
- How RIA Firms Can Utilize 2 Factor Authentication To Improve Security
- SEC Releases RIA Cybersecurity Examination Sweep Summary Risk Alert
- SEC Issues Registered Investment Adviser Guidance on Cybersecurity
- NASAA releases RIA Cybersecurity Compliance Survey Results
- SEC Issues New RIA Cybersecurity Guidance Risk Alert