June 24, 2019

Cybersecurity for RIA Firms

We recently hosted 175 RIA firms on a webinar discussing the relevance and importance of protecting advisory clients from cyber threats.

We began by addressing three common misperceptions that sometimes prevail within our industry.

1) Cyber threats against RIA firms are rare.

Regrettably, this isn't the case. Just among our client base, we see attempted (and in one case successful) cyber frauds occur all the time. In fact, 10% of our clients (the clients of our clients, to be exact) have been the target of cyber fraud, usually by means of a hacked email account and a fraudulent wire request.

Michelle Wraight, vice president and chief privacy officer at Pershing agrees: “We’re seeing wire transfer fraud at epidemic levels,”

2) Cybersecurity is a “big firm” problem.

Every RIA - big or small - have points of vulnerability. In fact, regulators have specifically noted that smaller RIA firms will not get a pass when it comes to putting procedures in place to protect clients.

3) Cybersecurity is an IT issue.

Cybersecurity requires a multi-pronged approach. Effective cybersecurity goes way beyond information technology. Effective cybersecurity risk management is a cross-functional challenge that must also address operational processes, vendor management, regulatory requirements and human resources.

We then addressed the topic from a reguator's perspective. Regulators expect that compliance and risk management be an integrated part of the operations of your business. Cybersecurity is not just a technology concern.

The SEC's Office of Compliance Inspections and Examinations' (OCIE) recent cybersecurity initiative was designed to assess the preparedness of RIAs and ensure that firms are taking necessary steps to mitigate cyber threats. These include: preparedness, firm governance, identification and assessment of risks, protection of networks and information, remote access and funds transfer requests

We then provided some practical steps for RIAs to follow that would not only satisfy their regulatory expectations but also protect their clients from the very real threats that exist today. They include: maintaining a working knowledge of all clients (and their "normal" activity with respect to wire requests), securing mobile devices, securing hardware/office space and setting procedures and controls that govern how your firm processes client wire requests.


Post a Comment