Prepare for cybersecurity before it becomes a problem

May 18, 2017 by Justin Kuepper

A group of business people meeting about cybersecurity in their business

about the author:

Justin Kuepper

Reporter at Investopedia

Justin Kuepper has many years of experience in the market as an active trader and a personal retirement accounts manager. He spent a few years independently building and managing financial portals before obtaining his current position with Accelerized New Media, owner of SECFilings.com, ExecutiveDisclosure.com and other popular financial portals. Kuepper continues to write on a freelance basis, covering both finance and technology topics.

Imagine that you are updating a client’s financial plan and suddenly the computer screen goes blank. A message appears demanding a $10,000 ransom paid within the hour or else the entire hard drive will be erased. At first, you worry about losing months’ worth of work. Then, the prospect of stolen information becomes even more alarming. You will have to notify clients of the security breach — many of whom may drop you as their advisor — and you may be hit with fines from FINRA.

This scenario may sound like something that does not actually happen outside of TV, but it has become an increasingly common form of cyberattack known as ransomware. These types of attacks can originate from something as innocuous as an email from a colleague with a virus that is disguised as a spreadsheet or an invoice. Many financial advisors are ill-prepared to prevent these kinds of attacks as they occur more frequently in today’s tech-driven world.

Cybersecurity is now a primary focus for regulators, and it should be a concern for all financial advisors regardless of size.

Increased regulatory focus

The U.S. Securities and Exchange Commission (SEC) began taking a closer look at cybersecurity issues and conducted its first sweep of more than 100 broker-dealers and investment advisors in 2014. After releasing its findings the following February, the agency announced another round of examination by September. Since then, both the SEC and FINRA have placed cybersecurity near the top of their priority list.

These agencies now routinely look at financial advisors’ security controls through testing and assessments. In many cases, these examinations could lead to an increasing number of enforcement actions aimed at encouraging advisors to improve their security infrastructure. The agencies’ key areas of focus include governance, access rights, data loss prevention, training, and incident response, among other topics.

During these examinations, regulators will request a firm’s information security policies and procedures, interview staff members, and request information on security incidents that the firm has already experienced. Financial advisors should be prepared to answer all of the questions present in the agencies’ existing guidance, while addressing more technical and detailed questions that may be asked for additional clarity.

Financial advisors should focus their efforts on two areas when it comes to meeting cybersecurity requirements and protecting client data. The first area is technology that ensures client data is secured and helps avoid any problems from the onset. The second area of focus is documentation that helps meet regulatory requirements and ensures that policies are in place to govern the installation and maintenance of technology solutions. 

Technology solutions for cybersecurity

There are many different types of technology that help secure networks and ensure cyber criminals cannot access sensitive information. In most cases, financial advisors can work with IT consultants to select the best technologies and ensure that they are properly installed. It may also be helpful to have these consultants train staff members, in order to avoid what are often the weakest links humans. The most important technologies to implement include:

  • Hardware firewall: Prevents unauthorized access of a computer network from outside sources by whitelisting every approved connection and blocking all others
  • Software encryption: Secures sensitive data by rendering it unreadable by anyone that does not possess the encryption key or passphrase
  • Access management: Ensures that all advisors in a practice have their own individual accounts that are segregated to prevent one breach from compromising all data
  • Antivirus/spyware: Prevents the installation and spread of viruses and spyware on computers connected to a network and quarantines any viruses that already exist
  • Secure remote access: Secures access to a network’s computers from advisors that are working at home or away from the office through encrypted communication
  • Portable media encryption: Ensures that stolen USB drives and laptops are locked down in order to protect sensitive client information
  • Software updates: Ensures that all software solutions installed on a computer are kept up-to-date in order to close any security holes discovered by the vendor
  • Personnel training: Helps personnel understand how to avoid key security risks that tend to be the most common entry point for cyber criminals

Proper documentation

FINRA and the SEC have documentation requirements that tend to surface when these agencies conduct examinations. In many cases, the documentation of security procedures is as important as the actual security measures when it comes to enforcement actions.

The SEC Office of Compliance and Examination’s Cybersecurity Initiative and the 2015 Cybersecurity Examination Initiative are good places to start. In the document, the regulatory agency outlined its focus on governance and risk assessment; access rights and controls; data loss prevention; vendor management; and training. The document then discusses the specifics associated with the implementation and documentation of solutions in these areas.

For example, the access rights and controls section outlines the following documentation requirements:

Firm policies and procedures regarding access by unauthorized persons to firm network resources and devices and user access restrictions (e.g., access control policy, acceptable use policy, administrative management of systems, and corporate information security policy), including those addressing the following: Establishing employee access rights, including the employee’s role or group membership; Updating or terminating access rights based on personnel or system changes; and, Any management approval required for changes to access rights or controls.

Financial advisors should take the time to ensure they can fully answer these questions ahead of time. Any failures to address these questions and concerns could lead to enforcement actions.

The bottom line

Cybersecurity remains a major concern among clients and a top priority among regulators at the SEC and FINRA. For financial advisors, it is more important than ever to secure data with technology and ensure that everything is documented for regulators. Those that fail to address these issues could face an increasing risk of regulatory actions, fines, and other consequences as the policies mature on a regulatory level not to mention the potential loss of a valued client.

This article from Investopedia was written by Justin Kuepper.