RIA Compliance and Practice Management Blog

What is an RIA Firm's Best Defense Against Cyber Attacks?

Posted by RIA in a Box

May 11, 2022 1:05:43 PM

RIAB Blog - Cybersecurity Q&A

Amid the increasing cybersecurity threats like ransomware, phishing scams, and malware, regulators are focusing on strengthening cybersecurity measures across the wealth management industry. 

Registered investment adviser ("RIA") firms must enhance their cybersecurity programs to meet the evolving compliance requirements and protect their firms from advanced threats. In this Q & A with Richard Mabbun, Co-Founder of ITEGRIA, we explore how firms can make employees their best cybersecurity defense.

Learn More About How To Protect Your Firm From Ransomware Attacks

Below, cybersecurity expert, Richard Mabbun answers our questions about creating a “cybersecurity defensive army” at an RIA firm.

Q: Financial firms seem to have an uphill battle when it comes to developing a cybersecurity program to defend against today’s sophisticated cyber threats. How should RIA firms get started?

A: Create a plan for your people. The biggest attack vector is a firm’s current and future employees. So, having a plan to take your employees and create soldiers of security for your organization is extremely important, which begins at the hiring process. During the hiring process, develop a strategy to take the temperature of a candidate in terms of their cyber-awareness and cyber-hygiene, perhaps giving them some sort of questionnaire. During the interview process, ask cybersecurity related questions to gauge their willingness to be part of the defense of your organization.

Q: What is the next best step after an employee is hired?

A: Once hired, it's important that you take charge of the training for your employees, and this can be done in two stages. In the first stage, send the individual(s) through a cybersecurity boot camp, to take an untrained individual through different training stages. Set the minimum requirements of cybersecurity training, such as how to recognize a phishing attack, how to recognize common scams, such as social text attacks, for example, from heads of the organization. Give them examples of how to record attacks and recognize that those are attacks.

Q: What is one of the most important concepts that every employee should know with only a basic level of cybersecurity training?

A: Train them to know that coming forward and raising your hand by saying, "Hey, I might have exploited us by clicking a link" is not going to be looked upon as a punitive event by the company. As a matter of fact, the sooner an event is reported, the better. Coming forward must be encouraged. This will make your organization aware that a cyber event may have taken place and then you’ll have a better chance of mitigating before any damage is done.

Q: What other aspects should be considered when creating a cyber security defense army?

A: Consider these scenarios; if an individual feels they clicked on something incorrectly, or they did follow a social engineering attack, what do they do? Who do they call? What are the steps to put that in motion?

Also, it’s imperative to develop a program to continually train your people. You must continually make them aware, continually educate them on new forms of attack, new viruses, new things to look out for, new areas and resources they can use to frequently enhance their cybersecurity fitness.

Q: How can you empower your employees to properly respond to a cyberattack?

A: The first thing is getting an employee to be a soldier rather than just an observer, or a bystander or somebody easily attacked. Once you've made sure that you have your entire employee base through a program that takes them from untrained, to a trained, then you really are in great shape because you created an army that is there to defend against cyber-attacks and recognize the forms of attack. This defense army knows the chain of command and who to contact to move awareness of the situation up the ladder as quickly as possible, and thus giving your cybersecurity teams a chance to be able to mitigate and report back to management. This will also allow communication to flow back to the entire organization to warn of an impending attack.

Learn More About Our Cybersecurity Platform


Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts