Cyberattacks cause mental distress that few registered investment advisors (RIAs) can envision before an incident occurs. We’ve witnessed that devastation. It’s not an ordeal you want to go through. Being hacked is a violating experience, similar to having your house robbed. For many, a kind of mental fog descends, right when you need to focus and answer a series of complex questions like:
- How do we kick out the hackers and re-secure our environment?
- What caused the breach?
- What information was compromised?
- What do our clients need to know?
- Which regulatory bodies do we need to report to?
- What rights do we have?
It’s disorienting, and an ordeal we don’t allow our clients to experience alone.
Why Every Firm We Work with Has Cyber Insurance
Managed service providers like itSynergy help you stop an attack and close vulnerabilities. But we don’t employ all the other knowledgeable professionals you need to swiftly mitigate the fallout after a cyberattack occurs. We know you need all hands on deck. The best way to quickly access the resources required to handle an attack is to have cyber insurance. We have a policy and require our clients to carry insurance, too.
Cyber policies offer more than financial protection
If you’re hacked and have cyber insurance, you call your provider and explain what happened. Within hours they’ll connect you with a stellar team of experts including:
- Forensic investigators
- Lawyers and
- PR/marketing firms
Your insurer will also call in any other knowledgeable professionals who swiftly halt the attack and mitigate the fallout. You won’t be tasked with figuring out what needs to be disclosed to clients in Arizona and how that’s different from what people in Colorado need to know. A lawyer will manage it for you.
Cyber insurance mitigates risks after an attack. But you still want to prevent an incident from occurring in the first place. Use the Office of Compliance Inspections and Examinations (OCIE) priorities to build your cyber defenses. That way, the measures you take serve a dual purpose – they’ll simplify compliance.
What the OCIE is Paying Attention to in 2020
You only need to read the memos published by OCIE to see how cybersecurity and compliance overlap for RIAs. Here are key information and cybersecurity measures OCIE emphasized in 2020:
Limit access to documents and information to the people who absolutely need it – no one else. In SharePoint, you can easily set up access controls using role or identity-based permissions.
Data loss prevention
Hackers blow past external defenses by hoodwinking employees with sophisticated phishing scams. Internally protecting information is as important as securing the perimeter. Data loss prevention keeps confidential information out of the hands of the hackers – even if they successfully breach your organization.
Third-party partners have access to your systems. It’s an incredible amount of risk if you don’t manage the relationship properly or choose a vendor who has lax security standards in place. Before working with anyone, do your due diligence. Calculate the risks of partnering with the vendor and decide if you can accept the consequences.
Employee cyber training
Your staff is your weakest link. Without regular cyber training, your employees endanger your organization because they’re susceptible to phishing emails and malicious links.
Incident response planning
An incident response plan (IRP) identifies who is responsible for what during a breach. Pre-defined roles help you swiftly act, get back to work faster and minimize the overall impact of a breach. Put a plan in place and test it regularly.
How to Get Away with Ignoring Compliance Requirements, without Compromising Security
The SEC wants RIAs to be aligned with a cyber standard. You have several options, but we like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). It’s a free, comprehensive resource published by the government. Unlike privately developed standards, it’s a safe bet NIST will be regularly updated and continue to receive support.
Review NIST guidelines to see which points you don’t need to fulfill
But NIST has 108 different points. Before you panic, remember an auditor is not going to worry if you look at the 108 points in the NIST CSF standard and determine – within reason – some don’t apply. Attorneys and former SEC investigators made it clear they aren’t concerned with 100% compliance. In sessions to earn the Investment Adviser Certified Compliance Professional® (IACCP®) designation, they emphasized how important it is for RIAs to do what they say they’ll do.
Set out how you made the decision, who was involved and when the conversation took place. If you raise reasonable points, there shouldn’t be any issues.
5 Questions Every RIA Needs to Answer
To further shore up your security and simplify compliance, answer the 5 following questions:
1. Are your policies and decisions documented?
Auditors want to see that you’re using sound reasoning to make your decisions. Document everything. Show who was involved, what you talked about and how you reached your decision.
2. Where are your policies stored?
Again, OCIE wants to know you’re following through on your policies. They WILL take corrective action if you aren’t. Establish a clear audit trail. We do this in SharePoint sites for our clients. When an auditor asks for a policy or document, they know exactly where to look and can quickly retrieve the information.
3. How do you audit and assess your environment?
There are a variety of assessments, scans and audits you can run. Here are 5 we recommend:
- Rapid security assessment – quickly determines if you have cybersecurity gaps,
- External port scan – highlights external vulnerabilities,
- Internal vulnerability assessment – shows what’s threatening you from inside your organization,
- Windows environment assessment – digs into the specifics of your environment and points out issues like user accounts for people who no longer work for your company, and
- Non-Windows device scan – checks what’s connected to your network to ensure there aren’t any rogue or unknown devices.
4. When was the last time you reviewed your group policies?
Check if all employees are in the right groups and have the appropriate level of access, based on their roles.
5. What’s your process for reaching decisions based on risk?
Auditors like sound reasoning. The easiest way to prove you’ve thought through all potential scenarios is to use an assessment, like our free Risk-Informed Decision-Making template. It quickly points out your weaknesses and sets the right priorities.
Cybersecurity and Compliance Are Time Consuming – Let Us Help You Win Back Time
Our team has a unique blend of cybersecurity expertise and knowledge about the financial services industry. We can run an audit for you and then help you understand which gaps are your biggest cybersecurity and compliance threats. Don’t make it easy for hackers to violate your network. Call us today and get started on a powerful, unified technology strategy to knock out cybersecurity and compliance issues.