Since 2015, the U.S. Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") has specifically listed cybersecurity as a registered investment adviser ("RIA") annual examination priority. Most recently, the SEC once again highlighted cybersecurity as a regulatory examination priority for 2019. In particular, the SEC OCIE staff noted, "Specific to investment advisers, SEC OCIE will… continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.” These six areas of focus for information security were first enumerated in a September 15, 2015 SEC RIA risk alert and have remain unchanged since.
To address these six cybersecurity areas of regulatory focus, we believe it makes sense to take a step back and address the three primary cyberscurity risk areas for investment advisers of all sizes: people, technology, and third party vendors.
As we have previously discussed, the weakest link of any investment advisory firm's information technology security plan still remains the inadvertent actions of the firm's individual employees. However, proper controls and training can help to mitigate the risk that people pose.
It's vital that each individual employee or advisor only have limited access to internal and third party systems that individual needs access to in order to do their job. For example, access rights and controls should be established to ensure that each advisor or client services representative can only access clients they serve in the firm's customer relationship management ("CRM") system rather than administrative access across the entire organization. Furthermore, only necessary sensitive or nonpublic personal information ("NPI") should be housed in any given system (e.g. don't store client account information in all company systems). And lastly, when an employee is terminated, access to all company systems should be immediately terminated. As it relates to access rights and controls, the ultimate goal is to minimize the potential damage if a single employee's login credentials are compromised or one particular company system is breached.
The goal with training is to reduce the risk that an employee becomes the weakest link and serves as the entry point for a breach. As a starting point, employees need to first understand and be educated around the tremendous risk they often unknowingly pose to their firm. Common employee-related cybersecurity issues relate to: improper protection of a company computer or mobile device, poor password management, not properly protecting personal information making them vulnerable to a social engineering hack, not utilizing two-factor authentication, inability to recognize email phishing attacks, or the use of outdated anti-virus software.
In addition, employee training is critical as it relates to the risk posed by unauthorized wire or fund transfers. In particular, third party wire requests (e.g. a client asking the firm to send money to a third party) often pose the greatest unauthorized fund transfer risk. Unfortunately, RIA firm clients are frequently having their email accounts compromised and increasingly sophisticated hackers are targeting the compromised client's financial advisor. Given that staff members typically receive wire requests from clients, it's essential that not only thoughtful policies and procedures be established as it relates to fund transfers, but also regular employee training to help prevent this significant business risk.
Many RIA firms store sensitive client information on the firm's network and also deploy a bring your own device ("BYOD") policy as it relates to computers and mobile devices. While mandatory information security training may be the first critical step in any firm's cybersecurity plan, frequently the next key focus should be on thoroughly securing the firm's network and devices.
Along with the basics such as utilizing a strong password policy, a firewall, and other best practices to help safeguard a firm's network, RIA firms should also be conducting regular vulnerability scans and penetration tests. Vulnerability scans are often deployed on a more frequent and automated basis and focus on known software or equipment vulnerabilities which could be exploited by a bad actor. On the other hand, penetration tests generally involve a skilled information security individual looking to exploit any network or general security weakness. A regular dose of vulnerability scans and penetration tests can help mitigate the risk of a potential breach due to an issue such as failing to install a critical software patch or update which fixes a known security issue.
In a BYOD or firm-issued device environment, proper polices and procedures need to be established and implemented to inventory all relevant employee devices and to address encryption and the ability to remotely monitor, track, and deactivate remote devices. Ideally, firms need to have the ability to prevent devices from accessing the firm's network and other sensitive third party systems if the device does not have the proper security controls in place such as updated anti-virus software, proper password protection, and encryption implemented. A compromised and unmonitored device can be the weak link that leads to a breach. Advisory firms should also be very cautious around introducing internet-of-things (IoT) devices to the firm's network which can provide an unintentional access point to the network and also create other client privacy and data security issues.
- Third Party Vendors
Today, almost all RIA firms utilize third party vendors which not only perform critical operations but also have access to sensitive client information. RIA firms need to actively mitigate the risk of indirect information security breaches via a third party vendor that leads to the exposure of the firm's NPI or other sensitive information.
The vendor due diligence process should commence before initially engaging with a third party vendor and should then continue as an ongoing process as part of the firm's vendor risk assessment process. Areas to probe as part of the vendor due diligence process may include the vendor's contract, access controls, business continuity plan, third party security reviews, history of past information security incidents, and use of any other third party vendors or outside contractors themselves. Given the risks and regulatory requirements related to NPI, it's often much easier to work with a vendor that has deep experience in the investment adviser industry. It's also important to remember that conducting a regular online search or setting up relevant news alerts may help to stay up to date on any potential third party vendor information security issues.
While third party vendor risk cannot realistically be completely eliminated, thoughtful RIA firms can work to mitigate the risk that any single vendor poses to the firm and its clients. While some key vendors such as customer relationship management or portfolio management and reporting software may need access to high levels of sensitive client data, it may not be necessary for other less critical vendors to have access to NPI. RIA firms should ensure that vendors only have access to the absolute minimal level of sensitive data possible in order for them to deliver their service. Investment advisers should also review the contract in place with the vendor to better understand how issues such as liability or insurance coverage are addressed in the event of a breach.
Be sure to check back soon as we continue to provide updates on relevant RIA cybersecurity compliance focus areas and best practices.
Lexington Compliance and RIA in a Box LLC are not law firms, investment advisory firms, or CPA firms. Lexington Compliance and RIA in a Box LLC do not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.