OK. We’ve all made it to 2021. It wasn’t pretty and, if you’re anything like us, you’ve learned a lot along the way. The registered investment advisor (RIA) market can expect a few more “pivoting moments” before we get back to business as usual. But from an IT perspective, it’s essential to get a technology strategy in place now that not only supports your staff, but also keeps your business safe from disasters, cyberattacks and more. We can all do better.
This year, we’ve (understandably) heard a lot of excuses as to why the RIAs we’ve met have not kept up with the demands of technology. To help reassure you that you’re not alone, we’ll explore some of the excuses we’ve heard from RIAs about their IT strategy in 2020. Our managed service provider experts have heard a lot this year, so let’s get started!
The Top 5 Excuses We Heard from RIAs in 2020
Whether it’s insecure, on-prem email servers or a disaster recovery plan that hasn’t been tested in several years, we’ve seen a lot of RIAs working within network security systems that are held together by the skin of their teeth.
Until they’ve been tested, it can be difficult for an RIA with no technical background to determine whether their plans will work in an emergency. If you haven’t considered at least partial outsourcing of your IT, you may not have anyone on staff that has the time or the skill to create IT solutions that keep you protected. In 2021, let’s do IT better, together.
With the stress and uncertainty of this year taking a toll, we’ve heard many excuses as to why RIAs haven’t put any effort into their information security strategy. Here are some of the most popular and why they’re so dangerous.
“I’m compliant, so I’m secure.”
Some RIAs make the fatal mistake of believing that just meeting their SEC compliance requirements means that their systems are secure. Anyone who looks at OCIE memos will know that there are major overlaps between cybersecurity and compliance, but they aren’t the same. To protect your system from any vulnerability, you need to treat them as two separate requirements.
“I’m secure, so I’m compliant.”This works the other way as well. You may have stringent security measures in place, but if you aren’t able to show the proper documentation or you’ve used evidence of simplistic external testing, like an external vulnerability scan, to prove your compliance, you will likely run into issues in the future.
“Yeah, we’ve got file recovery covered.”
Disaster recovery is complex and requires RIAs to fully understand and accept what their current plan offers in terms of recovery point objective (RPO) and recovery time objective (RTO) – the number of files you can lose and the amount of time you can be down for.
Many RIAs who say they have their disaster recovery plan in place and file recovery covered are working with a plan that won’t put them back on their feet for days or even weeks. Is that an acceptable solution for your business? Instead of blindly believing you’ve got it covered, talk to a disaster recovery expert to see if you actually do.
“I’m not sure when we last conducted an IT risk assessment.”
A risk assessment is an ongoing process, and creating one is all about deciding what level of risk is appropriate for your business. It needs to be reviewed over time as your business grows and changes.
This year has marked many different changes, including a massive movement towards remote work. If you haven’t updated your IT risk assessment to reflect these changing circumstances, you probably aren’t secure, and you may not even be compliant.
“I don’t know when our last compliance checkup occurred.”
Speaking of compliance – one of the other excuses that we’ve heard a lot this year was about regular compliance checkups. One of the first questions you’ll see from an OCIE auditor is “Let me see a copy of your policies.” The second question will be “Now, let me see the evidence that you’re monitoring, enforcing and following these policies as written.”
If you don’t have the discipline to update your compliance checkup regularly or if it hasn’t been updated to reflect important changes like remote work, a compliance auditor will likely have some concerns. Fortunately, you can start now and get yourself back in compliance with some diligent work.
“I’ve got it covered … in my spare time.”
If you’re taking care of important things like cybersecurity and disaster recovery plans in your spare time, you don’t have it covered. Instead of taking on too much on your own or keeping key staff members busy with these higher-level tasks, think about whether it’s time to outsource your IT. That way, you can make use of the staff you have for key tasks that only they know how to do.
When you hire a company like itSynergy, you’re bringing in a team with a wildly varied skill set that can do things that are both too boring (installing patches) and complex (strategic planning) for your in-house IT department. This combination of expertise allows you to rest easy, knowing that your in-house and MSP team are working together to keep your business protected.
How ITS Can Help Implement Better IT Solutions in 2021
Looking to get a little bit more clarity in 2021? Let itSynergy create the pieces you need for a sound and productive 2021 IT plan. With us on your side, your RIA business can step into 2021 with the confidence that comes from knowing you’ve got IT management covered. Contact us today to talk IT strategy with an expert IT consultant.