Thousands of businesses have discovered this year that their IT compliance and continuity planning fell catastrophically short when they were faced with true problems, including natural disasters and a global pandemic. The Securities and Exchange Commission (SEC) has taken note and issued new guidelines that demand information security. It is time for you to take action. Here is what you need to know to pass your next test.
Uncovering IT Compliance and the SEC Report
The Office of Compliance Inspections and Examinations (OCIE) of the SEC has released a new report on business, RIAs (registered investment advisors) and what you need to do to thoroughly protect customer information in the event of a disaster.
Countless businesses have compliance strategies in place to help them mitigate small disasters. If their office loses power for a day, they are ready. If a fire devastates their building, everyone knows how to work remotely for a few weeks until the office can be repaired.
However, they are missing the big picture, and that is what this memo addresses.
Factoring large-scale disasters and external events
The SEC mandates that RIAs account for large-scale disasters and external events. Businesses often formulate continuity plans that make basic, faulty assumptions. For example, if something happens to their office, they assume they will transport everything to the cloud and have employees work remotely.
– What if the entire city has no power?
– What if, instead of lasting for a day or two, this disaster lasts for several weeks?
Operation resiliency and information security have become a must. These regulations from the SEC were written on the assumption that severe weather events and similar disasters are likely to become more common moving forward. Businesses like yours need to be ready.
What we can see from the Texas storm
Ironically, the memo detailing these recommendations was released nearly simultaneously with the debilitating winter storm that hit Texas and pushed the state to the brink of chaos. The country witnessed firsthand how quickly society can fall into disarray. A lack of power turned into a lack of clean water and then no water at all.
Businesses themselves were left with woefully inadequate continuity plans. The warning and advisories put forth by the SEC should not be viewed as an abstract, worst-case scenario. Millions have already seen how quickly that scenario can become a reality.
The SEC Recommendations for Information Security
In the eyes of the SEC and consumers, RIAs have no excuse not to take the necessary measures to have a continuity plan in the face of problems or natural disasters.
Safeguarding customer accounts
The Division will review procedures to ensure that the applicable businesses have taken the appropriate steps to safeguard customer accounts and prevent intruders from bypassing security. This includes having procedures to verify an investor’s identity before they can gain account access. Zero trust solutions, which require everyone – even those within the network – to be appropriately verified before accessing sensitive account information, provide the best model.
Oversee vendors and service providers
When preparing to work with any type of third-party vendor, businesses must have procedures in place to ask about their security procedures, see how they respond to different types of threats and how they protect customer information.
Businesses want to ask their questions and then receive concrete answers that will help them understand how the vendor will help them with their security posture.
Address malicious email activities
Every day, businesses of all sizes are targeted by phishing attempts or other efforts to illicitly access accounts. RIAs must have plans in place to address the painfully inadequate phishing education that plagues organizations. They also need to have an incident response plan that allows them to properly plan for these cyberattacks. This plan should specifically address what the business will do when hit with a ransomware attack.
The Cost of Noncompliance with the SEC Regulations
Businesses can no longer afford to half-heartedly comply with the SEC’s regulations and guidelines, though it can be tempting. RIA firms watch the rapidly rising influx of regulations and dislike feeling forced to throw more people, time and resources at the problem. Avoiding IT compliance, however, can result in far-reaching consequences.
By the summer of 2020, regulators had already issued $5.6 billion in fines against financial institutions that did not take the warnings seriously. Those fines comprise but one small part of the cost that financial businesses can face.
- While the average fine sat at around $2 million, the total cost to businesses was more than 6 times that amount, when you factor the costs of business disruption, revenue lost and the loss of business productivity during the enforcement period.
- Deloitte has found that 87% of executives recognize the importance of reputational risk and rank it as more important than other strategic risks – and few things destroy reputations faster than hacks that result in customer data theft and news about the business failing to take required steps that could have prevented the disaster.
Remember that the cost to your business stretches beyond any fine you must pay or the immediate loss of business. Noncompliance can dismantle customer trust and damage your reputation.
How ITS Can Help You Prepare
Your risk and IT compliance costs will clearly continue to rise. The risk assessment you make and the precautions you take need to reflect the needs of your business in the modern world, threatened by everything from hackers to severe weather disasters.
Businesses need to consider the right balance of people, processes and technology to make the most of their available resources. At itSynergy, RIAs have access to industry-leading security services at a company headed by a frontrunner in the field. Michael Cocanower, who can boast both an Investment Advisor Certified Compliance Professional designation AND a Certified Ethical Hacker certification, has the expertise and experience needed to provide superior services to customers who want to build a strong security posture and protect their IT infrastructure. With guidance from his team, your business will discover how to balance IT compliance needs with costs to make sure you are prepared for what tomorrow brings.
Contact itSynergy today for your IT solutions
As a managed service provider, let us point you in the right direction. It is time to stop putting off a risk assessment. We can all see the challenges that organizations today must face when keeping their business safe and protected.
Work with us today for a rapid security assessment. We will help you quickly identify any security gaps so that you can uncover the IT solutions needed to ensure that your business is prepared for the future.