Marin Community Foundation
Are you Cybersecure?
Advice

3 Tips for Enhancing Your Firm’s Cybersecurity Readiness

Originally published by IRIS [link] on March 24, 2017

After witnessing massive cybersecurity breaches at companies such as Adobe, Target, Home Depot, Sony, Experian and JPMorgan over the past four years, wealth management firms, like members of many other industries, have ramped up efforts to protect sensitive client information from hackers.

I work with financial advisors, family offices, broker-dealers and asset managers across the U.S. to create cybersecurity and IT solutions that meet their business and compliance needs, and based on what I have seen, many wealth managers do have solid cybersecurity measures in place.

The problem isn’t that they don’t have a cybersecurity plan—the problem is that not every staff member follows all the steps in the cybersecurity plan, or even knows to do so. This is important, because during SEC regulatory audits, the examiner doesn’t just want to see that you have all the necessary tools to protect sensitive financial information. They also want to make sure you and all your team members actually know how to use them, and regularly test them.

Below are three tips on best practices for enhancing your firm’s cybersecurity readiness to protect your clients’ sensitive financial data as the threat of cyber-attacks continues to increase.

1. Universal Adherence is Key

In this day and age, all it takes for your firm to experience a reputation-damaging and costly data breach is one employee losing a company mobile device that isn’t password-protected. To truly protect your clients and your firm, all cybersecurity procedures must be followed by every employee.

I can’t tell you how many times I’ve heard an advisory firm’s chief compliance officer or chief IT officer say, “Well, we tell people to do something, but so and so is a managing director and he doesn’t want to do it, and we can’t force him to do it.”

This excuse won’t pacify investors when their personal information is stolen by hackers. It won’t pacify SEC examiners during audits either.

Unfortunately, I’ve seen more than a few 40-person advisory firms where 38 employees utilize two-factor authentication to protect their devices. More often than not, the two holdouts who refuse to use two-factor authentication are senior advisors who wind up putting the entire company, and all its clients, in jeopardy, because they have access to everything in the system.

Cybersecurity processes need to be universally followed across your organization in order to be effective. Your cybersecurity protocols are rendered ineffective if even one person ignores them.  

2. Make Sure Your Cybersecurity Policies are Easy to Understand, and Require Cybersecurity Training for All Employees

Drafting firm-wide cybersecurity policies is important, but in order for all employees to follow them, those policies need to be able to be understood by all team members. Don’t write your cybersecurity protocols in legalese; compile them in a handbook similar to the easy-to-understand employee handbook distributed by your human resources department.

Also, don’t just give out your cybersecurity handbook—you should hold regular security awareness and training sessions to ensure that all employees really understand what’s written in it.

Think of this as the cybersecurity equivalent of inside-trading awareness. If you don’t hold educational seminars about security on at least a quarterly basis, then you can’t make your employees aware of what constitutes a breach of cybersecurity protocol. Also, hackers are consistently developing new ways to thwart cybersecurity protections—and if your employees aren’t aware of these new threats, they may click on a link or open an attachment with the latest malware.

After all, no hacker is attacking companies by breaking through firewalls anymore. That’s only in the movies. Today, every cyber-attack is socially engineered—in other words, the hacker managed to trick the employee. This is why security awareness training is so important.

3. Embrace The Cloud

The cloud offers unlimited, secure storage for data and documents. But too many members of the wealth management industry are afraid to embrace cloud computing solutions. I often hear from wealth managers, “If I put my firm in a cloud, then that makes my firm a much bigger target and puts our clients at greater risk.”

This isn’t true. Even FINRA, one of the regulators that monitors RIAs and broker-dealers for compliance with cybersecurity requirements, utilizes cloud computing solutions to securely and efficiently process the innumerable daily transactions on its plate.

Wealth management firms that lack the financial and technological resources to implement and monitor cloud-based solutions can partner with an outside IT provider to do so. Such a partner should be able to consolidate all the apps, data and documents across your organization into a centralized digital portal, and make seamless updates to compliance and cybersecurity features as new regulations and threats develop.

Outside IT providers can also assist you with managing all mobile devices across your organization, ensuring that all activity is securely logged for audit trails and that all employees are following your cybersecurity protocols—and giving you more time to focus on running your business and servicing your clients.