As a compliance and cybersecurity software provider to registered investment adviser (RIA) firms, we recognize the importance of raising awareness for National Cybersecurity Awareness Month. Hackers and fraudsters are using new and more sophisticated ways to target financial services firms and investors. We recently published a blog post listing the top three tools for RIAs to deploy to help protect their firm's devices.
In this blog post, we discuss the human element in cybersecurity risk management. Learn how to identify and prevent cybersecurity scams with strategies such as implementing proper policies and procedures, and using client knowledge to recognize cybersecurity red flags.
RIA firms must create and implement reasonable policies and procedures designed to mitigate cybersecurity risks, to safeguard the private data of the firm and its clients. It’s important for all employees of the firm to follow through with the policies and procedures daily, and to be aware of the evolving cyber threats in this current environment.
What can employees do to ensure they are doing their part to be the firm’s best cybersecurity defense?
Employees must be vigilant – everyday. Hackers have become expert impersonators, posing as a firm’s client by using private client information gained through social engineering tactics, to trick the adviser into a scam. RIAs face threats such as phishing attacks, social engineering attacks and malware.
Investment advisers are in the unique position to establish relationships with their clients and become familiar with their clients’ investment behavior and communication habits.
If you receive a request to make a change with your client’s funds, run through the following questions.
- Is this request aligned with my client’s investing habits and goals?
- Is this the approved form of communication (phone call, email, text message)?
- Did I take enough time to carefully confirm the correct client’s name, routing number, account number, and any other important identifying information related to the request?
We recommend advisers educate clients on the firm’s policies and procedures designed to safeguard private information and investments. The client should understand that you may be required to process requests via certain communication channels or only through a predetermined phone number and/or email address. Not only could your robust cybersecurity protocols be a selling point for your firm to the client or potential client, but it will also create a smooth process for completing requests.
During these client education conversations, it is helpful to discuss your firm’s billing practices, ensuring they can recognize potential scams. Would your firm ever call their personal phone to demand an immediate payment? Similarly, they should be aware that government agencies such as the Internal Revenue Service (IRS) would not contact them for payment via phone call.
It is beneficial to outline your firm’s communication practices in a one sheet or pamphlet for all clients. They should know who will contact them, how frequently, and via what method. The client should understand how you expect them to contact you, and what process you must go through to confirm their identity in certain cases. Any communications outside of these pre-planned practices should immediately raise red flags.
Cybersecurity is most successful when both your advisory staff and their clients understand the policies and procedures in place. Your firm should regularly test and review these policies and procedures for effectiveness. Are staff and clients following the policies? Which area(s) of your processes are most at risk for human error or cybersecurity attacks? Even if your policies appear to work seamlessly, frequent testing can reveal unknown weak points in your cybersecurity.
These guidelines on identifying risks and conducting ongoing policy education can help your firm mitigate cybersecurity incidents.