The Securities and Exchange Commission (SEC) recently proposed cybersecurity rules designed to improve registered investment advisers (RIA) firms' resilience against cyber attackers. Within this set of provisions, the SEC sets new requirements for the manner and timeliness in which firms must report cybersecurity incidents. In response to the proposed rules, RIA in a Box has prepared a six-step cybersecurity incident response plan for all employees of advisory firms.
Below, we discuss how advisory firms can act now to execute an effective cybersecurity incident response plan.
The wealth management industry currently faces staggering cybersecurity risk management challenges, such as safekeeping sensitive data and protecting both firms and their clients from cybercrime. The complexity of the cybersecurity landscape, coupled with teams who are underprepared for significant threats because they lack cyber crime knowledge to identify and address threats, leaves firms vulnerable to increasingly sophisticated attackers.
As a compliance and cybersecurity solutions provider, we highly recommend firms regularly provide cybersecurity training to all of their employees. Below is a response plan, created by RIA in a Box's Chief Information Security Officer Julian Makas, for employees to follow if they suspect cyber attackers have targeted them:
- Do not have employees turn their computers off, but rather disconnect from the network. This can be completed on a Windows computer by:
- Clicking on the Start menu.
- Clicking on “Settings.”
- Selecting “Network Connections” in the Settings menu.
- Right-clicking and selecting the “Disable“ option.
- Windows users should start a full system antivirus/anti-malware scan on the computer. Most antivirus programs will create an easy access icon in the Windows Desktop Tray (small icons by the clock on the taskbar), which can be used to quickly launch a scan. Your employees should be comfortable launching these types of scans, and if not, regular IT trainings should take place. Mac users should consult with IT, as the proper steps depend on their specific operating system.
- Contact IT support immediately. It is important employees share detailed information about their suspicions as soon as possible. IT should secure the exact time of the event (as close as possible), what was experienced, and any information/data which might have been entered into screens or used during the incident. This will ensure that the IT support team can help prevent further compromise.
- Once the incident is in the hands of IT, have the employee review their notes and verify everything has been clearly and correctly notated. Employees can email the notes to themselves to keep a record of the incident, which should include:
- The date and time of the incident.
- What software was being used when the incident occurred.
- If any files or email attachments were downloaded.
- What information, if any, was entered into a web browser.
- If a login occurred, what username and password were used. More importantly, is the same password used with any other accounts or logins.
- If the employee logged in, ensure they update all passwords that are the same or similar to the password shared with the attackers. The same/similar passwords should never be reused, and now would be the time to change all those passwords and ensure they are each different.
- Finally, ensure the incident is communicated with management as soon as possible. Proposed SEC regulations may create more stringent requirements for disclosure and record keeping regarding such attacks. The notes taken in steps three and four will be required for your organization to meet these requirements.
Additionally, RIAs can leverage technology to simplify the process for recording and reporting cyber attacks. A comprehensive solution will not only identify and protect your firm against cyber attacks, but also provide automated processes to streamline the required record keeping and reporting.