Simple Steps for Starting your Cybersecurity Initiative
Several high-profile data breaches have catapulted the issue of cybersecurity into mainstream consciousness in recent years. To date, the advice industry has managed to avoid the widespread attacks that have hit other sectors, and as a result, has perhaps been somewhat slower to ensure that basic precautions are in place to protect client data.
While the industry has yet to be hit hard, it hasn’t remained completely unscathed. Last September the SEC censured an advisor that had suffered a cyber-attack, finding that the firm had failed to adopt written procedures and policies reasonably designed to protect the personally identifiable information, or PII, of its clients, in violation of the “safeguards rule.” The breach compromised the PII of roughly 100,000 individuals and the firm was fined $75,000.
The advisor stored its clients’ PII on a third party web server, yet was held directly accountable, making it clear that regulators now expect firms to have robust cybersecurity practices in place, regardless of whether data is stored in-house or offsite by cloud technology vendors.
The need for cybersecurity as a vital element of any sustainable business plan has arrived, yet it is easy to see why some advisors have not yet taken the necessary steps. Independent advisors are constantly juggling how to run their business, manage investments and provide good client service, making it easy to overlook a seemingly vague threat that may never materialize.
As a software and services provider for investment managers, my company regularly handles sensitive data and we encourage advisors to ask questions about our security measures before turning investor information over to us. Firms that prioritize cybersecurity today will be in a better position to face a regulatory exam and, most importantly, to avoid a data breach. For those ready to embark on a cybersecurity initiative, here are some initial steps to take:
Become informed Familiarize yourself with the SEC risk alerts and sample examination questions to help determine your current readiness. Custodians and RIA study groups are also a great source of guidance on sound practices.
Partner with your vendors While it seems reasonable to expect reputable third party providers to have the necessary security layers in place, if you haven’t asked for specific details, you may not have much evidence of having performed reasonable due diligence when the SEC comes calling. Ask questions like:
· What are your data and privacy policies? What are the policies of your third party technologies or contractors? (Remember that your vendors likely have subcontractors too.)
· Have you performed third party assurance audits (e.g., SSAE16, CSAE, ISAE)? (These audits are good investments, and provide independent assurance.)
· Do you have response and communication procedures in the case of a data breach?
· What type of security practices do you employ for data storage and transmission?
· Do you have a standard due diligence questionnaire you can provide?
Be proactive with clients As media discussions of cybersecurity continue to raise awareness, clients will have questions and expectations about your security practices. Let them know what you are doing before they ask and show them you are staying ahead of emerging data protection issues. You should have corporate policies addressing privacy and data security, including material that can be proactively shared with clients. These corporate policies should discuss the practices you employ while also giving an overview of your due diligence practices for third party vendors.
Get help when you need it Consider hiring a consultant to write a data security policy or for vendor due diligence. Many third party compliance firms now offer these services and can help get your practices up to generally accepted levels while you stay focused on your clients. Investors will be happy that a dedicated, reputable provider is handling practices like wiping hard drives and shredding documents – as long as you have done the proper due diligence on the vendor from the outset.