In general, a registered investment adviser ("RIA") firm's policies and procedures manual should outline the process for the firm's Chief Compliance Officer ("CCO") to conduct a series of review activities including an annual compliance review as mandated by Rule 206(4)-7 of the Investment Advisers Act of 1940. In addition, the CCO is generally tasked with training company staff on a variety of relevant regulatory topics that impact the firm and each individual at the firm. The annual compliance meeting can serve as the platform to address many compliance training responsibilities including cybersecurity which remains a top federal and state RIA regulatory compliance examination focus area.
An RIA firm's annual compliance meeting is a great time to review current cybersecurity policies and procedures, implement any changes to a firm's policies and procedures, and provide additional staff training. Every RIA firm needs to prioritize cybersecurity vigilance with its broader corporate culture and fiduciary responsibility to its clients.
A few cybersecurity training areas a firm's CCO can address during the firm's annual compliance meeting include:
- How to identify phishing emails: With increased sophistication around phishing emails, it is more important than ever to make sure your staff is properly trained on how to identify a potential fraudulent phishing email. Even for advanced users, targeted phishing emails are becoming harder to detect. To start, it is important for RIA firms have a cybersecurity policy in place that addresses email phishing. However, not only should a proper policy be in place, but It is imperative firms are training all staff on how to identify a phishing email to protect sensitive internal information and client data.
- Enforce a strong password management policy: Many RIA firms have established cybersecurity policies and procedures which require advisors and staff members to use unique, complex passwords for each system. However, simply implementing such a policy is generally not enough. Instead an investment advisory firm needs to have the ability to audit, test, and ensure that staff members are actually following password policies. If left unchecked, most employees will default to bad password practices given the inherent inconveniences in utilizing unique, strong passwords.
- Test the business continuity plan: Use this time to review with staff any new updates to the firm's business continuity plan as it relates to any recent changes to the firm's key technology systems. This is also a great time to test the plan with staff members to ensure that the continuity plan works as designed and to identify any potential staff training issues. In addition, the firm can attempt to restore sample files and records from key technology systems to ensure that the restoration process is sufficient and properly configured.
- Review any changes to cybersecurity policies and procedures: The firm's CCO should discuss any recent cybersecurity incidents or new best practice learnings as an opportunity to explain any new changes to policies and procedures or the implementation of new systems such as a password manager tool or email phishing training tool. While creating information security policies and procedures are an essential first step, they are only as good as they are implemented.
- Make sure your employees feel safe about reporting suspicious or potential incidents: In order to prevent or the mitigate the damage of a potential cybersecurity incident, it is vital staff feels comfortable reporting. If staff feels safe and empowered, they are more likely to come forward and prevent a minor incident from becoming a much larger incident.
As RIA compliance consultants, we cannot stress enough RIA staff can never receive enough training when it comes to cybersecurity. Given that staff members pose a significant inadvertent cybersecurity risk to investment advisory firms, the importance of thorough and frequent staff training and education cannot be understated.