For small- to mid-sized RIA firms, a key part of cybersecurity compliance is completing a checklist or questionnaire from a broker-dealer or a regulator.
Do you have a network firewall in place? Check. Anti-virus? Check. And so on. But checking all the right boxes doesn’t mean your firm and clients are reasonably protected against catastrophic data breaches and other cyber-crime.
Using a checklist, such as FINRA’s Cybersecurity Checklist for Small Firms, is a reasonable start toward a viable cybersecurity program.
But with this type of checklist, certain key items should include follow-up questions that will tell you whether these steps are truly effective.
Let’s look at five of the typical checklist items, and the follow-up questions you should be answering:
- Document the types of data you collect and where it’s stored.
Follow-up question: Do we really need to collect all this data?
The more data you collect and the more network drives, devices, and users have access to it, the greater you risk that data is being exposed and exploited.
The SEC and FINRA recommend that you inventory the types of data your firm collects and where that data is stored. As you do this, take an extra step: Ask what would happen if you didn’t collect this particular data.
For data you do need, ask whether you’re needlessly collecting it in more than one place. For example, do you store clients’ Social Security numbers in an investment account database and also in a billing database? If so, can you remove it from one of these?
- Password-protect systems you use to store, process or transmit PII.
Follow-up question: Do the users with access to these systems understand how to create effective passwords?
Passwords are among the most common protections for sensitive data. But they’re often the least understood. In fact, some firms will leave default passwords in place for network devices and software – hackers love that handy backdoor into networks.
Create a policy for generating strong, unique passwords and make sure your employees use it. I recommend a password management tool such as LastPass.
- Use a firewall, malware and antivirus cybersecurity software.
Follow-up question: Do you have a system in place to make sure updates and patches for this software are installed promptly?
When cybersecurity software runs in the background, where most RIAs rarely or never interact with it directly, it can be easy for updates and patches to be left uninstalled. That’s not a good option for a firm dedicated to safeguarding its clients’ money and financial data.
- Conduct regular, automatic data backups, using redundant, secure storage methods.
Follow-up question: Have you tested actually running your business using backup data?
Your written cybersecurity plan, according to the SEC, should include an “incident response plan” that details how you would conduct your business in the case of, say, a natural disaster that disables your offices, or a ransomware attack that blocks access to your data.
I’ve worked with many clients who have written incident response plans, but have never tested running their critical operations using backup data.
Perhaps your incident response plan is to run your network in the cloud while your PCs are being wiped and reloaded with backup data. Exactly how would that happen? More questions to consider:
- Could your staff work remotely and access their virtual private network (VPN) and/or Bloomberg terminal?
- Could your clients use your client portal to check their investments or make changes to their 401(k) plans?
- Who would alert your cloud backup service?
- Do you have an IT vendor in place who would initiate the reinstallation of your office machines?
Your incident response plan may answer these questions. But until you’ve tested it in real time, you don’t know which problems might arise. And the worst time to find out is during an actual emergency.
- Protect remote devices that have access to PII.
Follow-up question: Could you wipe PII from the personal remote device of someone who’s been fired or has lost the device?
The FINRA checklist asks you to list protections on devices such as mobile phones that have access to sensitive data.
For example, is the data accessible through the device encrypted? Does the device require multi-factor authentication (such as a password and a fingerprint)?
These protections are important. But if it’s a personal device of someone who is fired or loses the device, that data is vulnerable if you don’t have software in place that allows you to disconnect the device from your networks and/or wipe any sensitive data that’s stored on it.
Regulators will always lag behind cyber-criminals
Cybersecurity compliance is particularly difficult for RIA firms that are big enough to have significant IT infrastructures, but not big enough to have in-house cybersecurity expertise.
One result is that you may respond to checklist items like the five mentioned above with the correct answers, and yet fail to actually protect your firm from cyber-attacks.
Next time you’re presented with a cybersecurity checklist, complete it with the help of an outside expert. Use your checklist responses to update your written cybersecurity plan. And then take these steps:
- Review your cybersecurity plan every year.
- Test critical elements such as the incident response plan, either through a table-top simulation or a complete walk-through.
- Update the plan as your IT infrastructure (network devices, cybersecurity software, etc.) changes, or the type of data you collect changes.
- Check the SEC and FINRA cybersecurity web pages periodically. Another excellent source is the National Institute of Standards and Technology (NIST) small business cybersecurity page.
RIA firms have so much to lose from cyber-crime – bad publicity alone from a data breach can sink a smaller firm – you simply can’t limit cybersecurity to basic compliance. By nature, regulations will always trail cyber-crime trends by a wide margin. Be responsible, informed and compliant.
Reid Johnston is the CIO and cofounder of Teal, a national IT managed services company specializing in cybersecurity for small to medium-sized financial services companies. Contact him at [email protected] for more information.
More ETF Topics >