Financial firms, such as registered investment advisers (“RIAs”), have undoubtedly become a popular target for cyber attackers. In this blog post, we discuss five major elements to address when developing or enhancing your RIA firm’s cybersecurity program in 2022: 1) users, 2) infrastructure, 3) reporting, 4) review, and 5) testing.
First, we must address the human element, as technology users can be the most common attack vector for cybersecurity incidents like data breaches. With efficient training, however, your employees can also be your greatest asset and first line of defense in combating cyberattacks and threats. We truly cannot stress this enough!
RIA firms can begin to promote a culture of cybersecurity awareness in the recruiting and hiring process by assessing candidates for cybersecurity hygiene. Hiring managers should aim to get a good grasp of the candidate’s knowledge, habits, and willingness to be trained in cybersecurity.
Speaking of training, a crucial part of an efficient cybersecurity program is to ensure that all employees have the proper training for their role within the organization. Every employee must understand the potential outcomes affecting both the firm and its customers in the event of a cybersecurity breach. Conduct ongoing training on how to spot suspicious emails, how to detect if their computer is infected, and how to report any unusual activity quickly.
Set an open-door policy and a no blame policy, so employees can report if they accidentally did something to put the firm at risk or see someone else doing something risky. This means there should be no repercussions. The faster they inform you, the faster you can address the issue.
A key point is to conduct ongoing training with tactics like phishing attacks, discussions, and protocols for “what if” scenarios.
RIA firms should choose a network infrastructure that can enhance the efficiency of the organization while ensuring security of critical business data. With current workforces being spread out rather than in one office, consider a virtual desktop infrastructure to maintain information security and compliance, reduce operational costs, and offer employees flexibility to work nearly anywhere in the world.
An additional cybersecurity tactic, as mentioned in the SEC’s seven cybersecurity management practices areas, is to maintain access rights and controls by limiting access to devices and systems only to those in the organization authorized to use data within those systems based on the user’s job responsibilities. Create policies for "acceptable use" access, mobile device usage, third-party vendor logs, and termination of access for former employees.
Maintain an active list of the technologies and vendors you currently use to assemble your technology stack. Each year, make sure you have all vendor cyber-security policies on file, and know the process of reporting an incident that may affect their systems or possibly stem from their systems.
We mentioned encouraging individuals to report potential cybersecurity incidents earlier in this post, but there is also one other form of reporting vital to add to your cybersecurity program.
RIA firms should run and document regular reports on their information technology systems to demonstrate the execution of security measures in place to prevent the loss of sensitive and proprietary data. Such reports include access reports, patch management reports, vulnerability and remediation reports, and virus scan reports. Keep detailed records of these reports and any cybersecurity incidents.
For software versions of your technology stack, make sure you have periodic reports on file that summarize the activities of that cyber defense tool. For example, tools such as multifactor authentication (MFA) should create reports on login attempts made by your employees, when and from where.
Vulnerability scanning programs should show current vulnerabilities and then subsequent remediation of those vulnerabilities. The history of active remediation is important from an operational as well as compliance perspective.
Conduct ongoing reviews of your cybersecurity policies and procedures. With this step, you can provide regulators with documented proof that you have carefully crafted a cybersecurity program unique to your firm and the industry’s evolving cybersecurity threats. During reviews and revisions, be specific when documenting methodology, timing, and responsible parties for the firm’s cybersecurity activities.
Adding the periodic reporting above also shows active participation of your users, vendors, and technology in preventing cyber security incidents.
Having a centralized panel to store and access all this information makes it much easier to handle all the information you should be collecting.
Leverage technology to perform cyber-risk assessments and determine if security weaknesses are present. Once you’ve defined a training program for your users, established a solid technology stack to guard against and mitigate the risk of loss due to a cyber-attack, and have the means to review and collect the periodic data generated by training and tech stack, we recommend conducting penetration tests, also known as authorized simulated cyberattacks on your firm’s system.
Cybersecurity is no simple endeavor – consider joining forces with a qualified technology partner to ensure your firm is leveraging all the right resources and tactics to keep the sensitive data of your firm and your clients’ secure.