It sounds futuristic, or like CSI: Cyber, a sci-fi world of white hat/ black hat hackers, and of constant threats to national security and the financial markets caused by the digital world we live in. Based on the latest SEC and FINRA reports on topic, however, fiction seems to morph more and more into reality. The numbers are staggering: 74% of all investment advisors (and 88% of the BDs) polled in a 2014 OCIE National Exam Program sweep had experienced cyber-attacks, either directly or through a vendor. In their reports, both FINRA and the SEC found a number of things to be desired from a prevention and response perspective. What I found interesting is that FINRA observed that most “successful attacks took advantage of fairly basic control weaknesses”. I found the FINRA report, most of its 46 pages anyhow, very helpful for designing or re-evaluating your cyber-security compliance program. Here are the top seven tips on my list:
- Establish and Implement a Cybersecurity Governance Program. Not too much to say about this one, and based on the sweep, most of you have it anyhow. As always, design processes, procedures and oversight programs that suit your business and that you can effectively adhere to. Define metrics, dedicate resources, and make sure to involve your board and senior management.
- Manage Data Access. Technical controls are where the rubber hits the road. Manage who has access, and to what portion of data, and how access can be obtained and for how long. Limit users’ access as needed, create effective passwords, use encryption. This goes to internal and external parties. Educate clients on how to mitigate risk. Pay particular attention to portable media.
- Undertake Regular, Enterprise-Wide Risk Assessments. Regularly assess threats, and how they can be remediated. Stay on top of occurrences at other firms and mitigate your own weaknesses based on trends. Talk to peers, attend conferences etc. to learn about industry best practices and share intelligence.
- Be Prepared to Respond When Incidents Occur. Define the response and the key players in it. The operative words are: contain and mitigate, eradicate and recover, investigate, notify and make customers whole.
- Know Your Vendor’s Cybersecurity Practices. Due diligence your vendors’ cyber-security history and program as part of the selection process. Address risks in your contract. Monitor vendor entitlements and establish a process to terminate access immediately as needed.
- Train Your Employees. Educate your staff about the potential threat and reinforce healthy day-to-day habits. Training should cover common scams (phishing, identity theft), risk awareness, pass word protection, physical and mobile security, and should be tailored to the audience.
- Get Insurance. Consider obtaining insurance as one way of transferring exposure from cyber-incidents. Periodically analyze adequacy.
I encourage you to read the entire FINRA report — it contains many general suggestions that apply to advisors as much as they do to broker-dealers. After all, it seems only a question of when, not if, your firm will be affected. And being in the SEC cross-hairs for deficiencies might be the least of your problems when that happens.