Cybersecurity Compliance Doesn’t Equal Cybersecurity

For small- to mid-sized RIA firms, a key part of cybersecurity compliance is completing a checklist or questionnaire from a broker-dealer or a regulator.

Do you have a network firewall in place? Check. Anti-virus? Check. And so on. But checking all the right boxes doesn’t mean your firm and clients are reasonably protected against catastrophic data breaches and other cyber-crime.

Using a checklist, such as FINRA’s Cybersecurity Checklist for Small Firms, is a reasonable start toward a viable cybersecurity program.

But with this type of checklist, certain key items should include follow-up questions that will tell you whether these steps are truly effective.

Let’s look at five of the typical checklist items, and the follow-up questions you should be answering:

  1. Document the types of data you collect and where it’s stored.

Follow-up question: Do we really need to collect all this data?

The more data you collect and the more network drives, devices, and users have access to it, the greater you risk that data is being exposed and exploited.

The SEC and FINRA recommend that you inventory the types of data your firm collects and where that data is stored. As you do this, take an extra step: Ask what would happen if you didn’t collect this particular data.

For data you do need, ask whether you’re needlessly collecting it in more than one place. For example, do you store clients’ Social Security numbers in an investment account database and also in a billing database? If so, can you remove it from one of these?