itSynergy: Blog
The IT Services Challenge for RIAs – Can You Score 100% on This Quiz
I have a challenge for every registered investment advisor (RIA) firm that outsources IT Services in Phoenix and Denver
Right now, you have 5 points. Depending on your answer to the 5 business-critical questions below, you either keep your point, or lose it. Think you can finish with a perfect 5? Let’s find out.
1. Do You Use Continuing Education to Stay Current on Cybersecurity Threats?
The SEC wants you to pay attention to cybersecurity. They hit it over and over again in communications and compliance requirements. It’s not because they have an affinity for talking about hackers. No, the SEC is relentless because they want you to be relentless.
Cybersecurity-focused continuing education empowers RIAs to fight cybercriminals
It makes business sense, too. If you’re aware of the threats, you’re less likely to respond to phishing emails or invest in security tools that don’t address your vulnerabilities.
For instance, itSynergy’s CEO Michael Cocanower recently co-led a course where attendees gained practical insight into areas where RIAs frequently fall short in the eyes of the SEC: access rights and data loss controls.
- Access rights: permissions users have to access applications, files, systems – anything in your IT environment
- Data loss controls: practices and systems put in place to monitor information and prevent sensitive data from leaving your organization
After sharing deficiencies cited during examinations, the session pivoted to talk about using tools available to you plug gaps. It fulfilled continuing education requirements, shared actionable cybersecurity tips and made it easier for RIAs to meet regulatory requirements.
(Take away 1 point for a “no”)
Can Your RIAs Fight Off Cybercriminals? Find out
2. Are Employees Dragging You Into Unsupported Territory?
Your firm made necessary updates to company devices before Windows 7 went end of life (you did that, right?). But did your employees update their computers that run Windows 7 – and more broadly, do they regularly update all their devices?
Only thinking about company devices creates a false sense of security
Unless you have a strict policy in place about which devices can access email, files and work chat, your employees will log into business applications from personal smartphones, tablets and computers. Any time they don’t update their software or run an outdated app on that device, they drag your entire firm into unsupported territory.
Why unsupported = 0 security
Unsupported systems – like the retired Windows 7 – don’t get security updates. When a hacker finds a flaw, it’s easily exploited over and over again because no one will send out a patch to fix the problem.
In the case of outdated software or applications, it doesn’t matter that the vendor released a patch to close the gap. You or someone on your team didn’t install the update so you’re still at risk.
Gain control and true security
Through Microsoft 365, you can monitor and track devices. Other rules can be put in place to limit how and where employees access information. Talk to your IT provider to set up controls and rules for every device – company issued or personal – that connects to your network.
(Take away 1 point for a “yes”)
3. Are You Getting Information – Not Data – Out of Your Risk Assessments?
Risk assessments should provide you with actionable information you can use to make strategic business decisions. If your evaluations spit out a pile of data, or you wind up with items on your to-do list that feel like they’re only there to fulfill an SEC requirement, it’s time to change how you conduct assessments.
Strategic IT services turn assessment data into information
Yes, the assessment is going to give you to-dos based on SEC priorities (it is part of your compliance program after all). But an IT consultant will help you integrate the action items into your overall business and IT strategy.
Your advisor will distill the results in a way that makes it easier for you to:
- Meet and maintain compliance
- Manage compliance-related documentation
- Secure your organization
- Protect client data
- Stay within budget
They’ll also share what you don’t need to do.
How to skip requirements without risks or fines
Don’t get us wrong, you absolutely need to meet compliance requirements – just not every single one. At times, inspectors will care more about documentation and whether or not you do what you say you will.
Using our understanding of what the SEC wants and technology, we help our financial services clients find balance between regulatory requirements and what they have the capacity to do. We work with them to run risk assessments, thoroughly document why or why not a risk was mitigated and maintain records.
(Take away 1 point for a “no”)
The Turnkey Compliance Solution Designed for RIAs
Learn More
4. Do You Follow Through?
Those action items from your risk assessment or any other pre-examination evaluation won’t take care of themselves. Like we said, auditors care about actions. Again, this is where having a strategic advisor on your side is invaluable. When your risk assessment results are tied into your strategy, you have a clear path forward that aligns your compliance needs, technology and business goals.
(Take away 1 point for a “no”)
5. Is Valuable Information Sitting in Download Folders?
It’s amazing what we find in download folders. Personal bank account information. PDFs containing sensitive client information. Countless email attachments. You may not pay attention to what’s in the folder, but it’s the first place a criminal will look if they gain access to your device. They know it’s highly likely there’s information they can exploit or sell waiting for them.
Go check your folder right now
Dive into your downloads and have everyone else at your firm to do the same. You only retain your point if every single download folder at your organization is free of information cybercriminals make money on, like:
- Social security numbers
- Bank statements and other account information
- Credit card numbers
- Personal identifiable information (names, addresses, dates of birth, etc.)
- Financial records
(Take away 1 point for a “yes”)
Did You and Your IT Services End With a Perfect Score?
Going 5 for 5 is a good indication that you and your firm are strategically using your technology to meet compliance, cybersecurity and business demands. Missing a few points is a sign you should open up a discussion about how to better use your resources.
IT services are more than a support number
Each of the 5 questions we posed are based on services, support or guidance we offer RIA clients. For us, IT services encompass more than being a number businesses call when something breaks. We’re here to make your life easier through technology. What could you simplify by working with us?