RIA Compliance and Practice Management Blog

RIA cybersecurity: Levels of cybersecurity training

Posted by RIA in a Box

Oct 18, 2022 3:30:09 PM

RIA cybersecurity: levels of cybersecurity training

In a previous question and answer blog, we explored how registered investment adviser (RIA) firms can help their employees become their best cybersecurity defense. Head of Virtual Desktop Infrastructure (VDI) at RIA in a Box Richard Mabbun emphasizes the importance of establishing a tailored cybersecurity training plan for an RIA firm’s employees. In this blog post, we discuss the different stages of cybersecurity training, from basic to intermediate, that RIAs can provide to their employees, along with best practices for a cybersecurity program. 

Download the Cybersecurity Incident Response Steps Infographic

The National Cybersecurity Alliance, in conjunction with the Cybersecurity and Infrastructure Agency (CISA), have named four key behaviors in keeping digitally stored information secure: 

  • The importance of two-factor authentication. 
  • Password strength and password managers. 
  • Software updates. 
  • Phishing. 

Cybersecurity awareness is undoubtedly important year-round. However, this month is an opportune time to reevaluate your employees' cybersecurity knowledge and practices, update policies and procedures and educate your employees as needed. 

While the IT department or managed service provider (MSP) within your firm likely handles securing technology – cybersecurity training must extend to every faction of your organization. Each employee working with computers to accomplish their daily task creates opportunities for breaches in digital security.  

To keep your firm compliant and protected against such breaches, it’s crucial to continuously train and educate your people on cybersecurity best practices. 

There are some skills everyone in your firm should be familiar with and practice regularly, from your administrative assistant to your chief executive officer.  

  1. Basic training and cybersecurity familiarity.

Every firm should have a cybersecurity guidance handbook each employee has access to and is up to date with. This could include best practices for mobile device usage, password management, identifying potential cyber threats, social media behavior and other pertinent information. Update the handbook or send out bulletins as new threats are known. 

The Securities and Exchange Commission’s Cybersecurity and Resiliency Observations offer a great place to start.  

The key takeaway – all employees need to complete the basic level of cybersecurity training.  

  1. Intermediate cybersecurity skills.

Now that we’ve covered the baseline skills every person at your firm should know, let’s explore a few advanced skills required for specific job functions. As a common example, a human resources (HR) employee needs training on the recognition of Personal Identity Information (PII).  An HR employee uses and sees this every day and should know how to recognize what should be protected and how. 

  1. Specialty cybersecurity training.

Specialty training also focuses on cybersecurity best practices or risks specific to an employee’s job function. An example of a specialist requiring more robust training is an IT support technician, who needs to know the basic training, but also other types of information on risks, such as PII.  Although they do not encounter PII as their normal daily duties, they still must recognize and know what it is so they can properly guide employees on the handling and protection of PII. 

Conduct ongoing reviews 

We encourage you to conduct ongoing reviews of your cybersecurity policies and procedures, which can provide regulators with documented proof you have carefully crafted a program unique to your firm and the industry’s evolving cybersecurity threats. Be specific when documenting methodology, timing and responsible parties for the firm’s cybersecurity activities. 

Adding the periodic reporting above also shows active participation of your users, vendors, and technology in preventing cyber security incidents. 

Test your systems 

Perform cyber-risk assessments and determine what security weaknesses are present and where.  

Once you’ve defined a training program for your users, established a solid technology stack to guard against and mitigate the risk of loss due to a cyber-attack, and have the means to review and collect the periodic data generated by training and tech stack, we recommend conducting penetration tests, also known as authorized simulated cyberattacks on your firm’s system. 

Learn More About Our Cybersecurity Platform

Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts