There are many things that can keep independent advisors from getting a good night’s sleep. Cybersecurity is definitely one of them. A survey by the Investment Advisor Association and ACA Compliance Group found cybersecurity to be a top compliance concern of 83 percent of Registered Investment Advisors surveyed. News accounts of security breaches, with financial services firms as frequent targets, are all too common. It makes a great deal of sense to have a solid plan for cybersecurity that is constantly scrutinized.
Where to Start
Scammers seem to be constantly at work trying to separate people from their money online. It can be daunting to figure out how to keep them from succeeding, but it is essential to protect client data if your business is financial planning or managing assets. The Securities and Exchange Commission (SEC) and state securities regulators will make sure you do.
The SEC Office of Compliance Inspections and Examination (OCIE) made cybersecurity a priority. This includes making sure advisors have both written policies and solid methods to keep devices and data safe. When developing and reviewing such policies, consider consulting three OCIE Risk Alerts that “remind advisors of their obligations” and “help advisors improve their systems, policies, and procedures”.
- Electronic Messaging https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf
- Customer Privacy https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf
- Data Protection https://www.sec.gov/ocie/announcement/risk-alert-network-storage
Many experts agree that elements of a written plan should include policies on mobile computing, virus protection, remote access, and training. Website monitoring and protection is also very important, since a typical site experiences 63 attacks per day according to an analysis by Sitelock.com.
A recent CNBC article discussed the importance of having a written incident response plan “spelling out the necessary steps to address a cybersecurity incident, vulnerability assessments, and details on who is responsible for implementing the plan after a data breach.” It is also a good idea to ask third-party vendors doing business with your organization about their cybersecurity plan and procedures.
Testing is Essential
The Investment Advisor Association survey suggests firms are turning their concerns about cybersecurity into action, with 70 percent indicating that their firms increased compliance testing compared to the previous year. A high percentage say they conduct cybersecurity compliance checks and risk assessment. The testing protocols should be conducted to make sure the policies are actually being implemented. If the testing reveals a vulnerability, such as a lack of training, be prepared to fix the problem.
That same survey found two-thirds of respondents said they had cyber insurance, which can provide some piece of mind amid the constantly evolving digital threats. But Insurance Business Magazine cautions against letting cyber insurance create a false sense of security. The article cited FM Global research which found 70 percent of senior financial executives surveyed mistakenly believe most or all losses caused by a cyberattack would be covered by cyber insurance. “While insurance is an essential part of the risk management formula, there are losses related to a cyberattack that insurance cannot cover—like damage to a company’s reputation, lost market share, missed growth opportunities, decreased valuation, and losses stemming from increased cost of capital,” said Kevin Ingram, executive vice president and chief financial officer at FM Global.
A multi-faceted approach is advisable when putting a cybersecurity plan together for your practice. It’s not a small task, since at stake is not only sensitive client information but your firm’s brand reputation as well. Cutter & Company takes its cybersecurity responsibilities seriously. Your clients expect you to protect their personal data - make sure you are doing all you can to keep their information safe.