Cybersecurity

Cybersecurity has been and will continue to be a focus by industry regulators. How important has this theme been? It is so important that the SEC has included cybersecurity in its annual examination priorities for the last five years. The SECs 2019 examination priorities indicate the focus areas will include proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information, risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

The SEC announced in March 2019 it would be conducting its third round of cybersecurity sweep exams. The prior sweeps occurred in 2014 and 2017. The first two sweeps were similar in the scope. The Office of Compliance Inspections and Examinations (“OCIE”) examined firm policies and procedures and the documentation supporting that these policies were being followed. Issues identified included procedures that provide general guidance, limited examples of safeguards for employees, and are generally too vague. The staff also noted in a number of cases firms were in fact not enforcing their policies and procedures, or the policies and procedures did not reflect the actual practices.

In May 2019, a Risk Alert was issued by the SEC regarding the safeguarding of customer records and information within firms network storage, as well as the use of third-party security features. During the course of examinations, OCIE noted misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures. The alert communicated that effective policies and procedures should address initial installation, ongoing maintenance, and vendor management.

Threats around cybersecurity will only continue to increase, where nefarious individuals and organizations are seemingly never ending, creating phishing schemes and a variety of ways to infiltrate firm systems.

We believe the following misperceptions continue in prevalence within the RIA industry:

1) Cyber threats against RIA firms are rare.

Regrettably, this isn't the case. Just among our client base, we see attempted cyber frauds occur all the time. Some of our clients (the clients of our clients, to be exact) have been the target of cyber fraud, usually by means of hacked email accounts and fraudulent wire requests.

2) Cybersecurity is a “big firm” problem.

Every RIA - big or small - have points of vulnerability. In fact, regulators have specifically noted that smaller RIA firms will not get a pass when it comes to putting procedures in place to protect clients.

3) Cybersecurity is an IT issue.

Cybersecurity requires a multi-pronged approach and goes way beyond information technology. Effective cybersecurity risk management is a cross-functional challenge that must also address operational processes, vendor management, regulatory requirements, and, most importantly, human management. Truth be told, we, as humans, are often the damaging factors of cybersecurity events.

When establishing policies and procedures for RIAs there are a number of prudent steps to follow that would not only satisfy their regulatory expectations but also protect their clients from the very real threats that exist today. They include:

• Maintain a working knowledge of all clients (and their “normal” activity with respect wire requests);

• Securing mobile devices;

• Securing hardware/office space and setting procedures and controls that govern how your firm processes client wire requests;

• Utilize encryption tools to send client sensitive information via email;

• Stay current with patches and updates; and

• Test your policies and procedures to ensure they are being followed or require enhancements

Read More

Addressing the Equifax Breach with your Clients

If it is not yet apparent, cybersecurity is the biggest risk facing independent RIAs. When the fraud protector becomes the weakest link, it is time to take notice.

From mid-May through July 2017, the personal information of approximately 143 million consumers was exposed during a long running data breach at Equifax (one of the nation’s three major credit reporting agencies).

The personal information that was accessed during the breach included:

• Names
• Social Security numbers
• Birth dates
• Addresses
• Driver’s license numbers
• Credit card numbers for about 209,000 people
• Credit dispute documents for about 182,000 people

In response to the breach, Equifax published a press release late on Thursday (9/7) announcing the breach and the availability of resources on the Equifax website, www.equifaxsecurity2017.com to protect individuals from identity theft. The site will verify who has been affected by this breach. If an individual’s information was exposed, they can receive a year of free credit monitoring and other identity theft protection services. Once they enter their name, the site will give them a date when they can come back to enroll. Affected individuals must remember to write down the date and come back to the site and click “Enroll” on that date.The deadline to enroll is November 21, 2017.

Initially, by agreeing to the terms and conditions for Equifax's monitoring, individuals were waiving key consumer rights, such as agreeing to settle disputes through arbitration and waiving the right to participate in class-action lawsuits. After the waiver of rights was exposed by the news media (see the CNBC articles linked here and here), Equifax amended its terms and conditions and issued the following FAQ: “the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com.”

The fact that Equifax attempted to bury arbitration clauses and class action waivers into the terms of use of the free credit file monitoring and identity theft protection creates concerns about whether their actions are about fixing the issue or purely an attempt to limit their liability. However, the free credit file monitoring and identity theft protection may make sense as a measure to mitigate some of the negative effects of the breach.

To assist your clients in protecting themselves from identity theft due to this data breach, AdvisorAssist recommends that you, as the Advisor, consider the following best practices:

• Read through the consumer notice and related documents found at: https://www.equifaxsecurity2017.com/consumer-notice/ to determine if it makes sense for your clients to enroll in the free credit file monitoring and identity theft protection offering.
• Monitor the accounts and financial statements that you advise on for your clients. Report to the client any potentially unusual activity.
• Recommend that your clients change their passwords on all financial accounts.
• Have your clients request a free credit report from all three credit bureaus at www.annualcreditreport.com.
• Assist your client with setting up fraud alerts with the three major credit bureaus.
• Work with the client to address any accounts that were fraudulently opened in their name.
• If appropriate, assist your client with installing a security freeze on their credit. Please note the credit bureaus typically charge for a credit freeze. However, some states require that the fee be waived if the consumer provides a police report to the credit bureau.

Contributors:
Brian Young
Brendan Furey

Read More

SEC Risk Alert: Cybersecurity

On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) released their observations of cybersecurity preparedness from the examinations of 75 SEC registered firms, including registered investment advisors (“RIAs”). Although the OCIE noted improvements since their last cybersecurity risk alert in 2014, there is still room for improvement.

The OCIE suggests that RIAs consider the following practices to enhance their cybersecurity policies and procedures.

What you need to know:

• Include details on how safeguards will be implemented. OCIE recommends adding safeguards that are specific to your RIAs computers and systems to your procedures.
• Penetration tests to review the effectiveness of the firm's cybersecurity policies and procedures.
• Security monitoring and system auditing of the firm’s cybersecurity framework. To answer questions, such as, when systems are reviewed for software updates and patches and who is responsible for conducting the reviews.
• Tracking list of vendors and what data is stored on the vendor’s system.
• Tracking of access rights for all employees to the systems that store client data.
• Access controls to firm data and systems including:
  • Acceptable use policies for using the firm’s network or equipment.
  • Restrictions and controls for using mobile devices when connected to the firm systems.
  • Require third party vendors to provide logs of their activity on the firm’s network.
• Reporting of the loss of sensitive information including who should be contacted.
• Providing mandatory staff training of cybersecurity policies and procedures.
• Involvement from senior management to develop and approve the firm’s policies and procedures.

If you have any questions, please schedule time with your compliance consultant to discuss your cybersecurity risks.

For full details of the risk alert:

https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf

Contributors:
Brian Young
Brendan Furey

Read More

Guest Post: 3 Critical Steps to Improve Your RIA's Cybersecurity

Wes Stillman is the chief executive officer of RightSize Solutions, a provider of cybersecurity and technology management services for wealth management firms. We have asked Wes to share a few tips on cybersecurity for RIAs:

Cybersecurity is a growing concern, and recently has become a hot button issue amongst business publications and consumer national news. Regulatory boards that monitor the financial services industry are taking note to quickly shift accountability to financial advisors.

While these may seem daunting at first glance, the better you plan to address these issues the more prepared you will be for an audit, and equally important, how you’ll respond to an unforeseen incident.

To help you manage this critical aspect of your business's health, success and security, as well as clients personal too, here are 3 proactive steps you can immediately take:

“9 out of 10 organizations do not believe their cybersecurity fully meets their needs.” EY Global Information Security Survey

1. Survey your existing technology environment. You can find easy wins, and avoid pitfalls, by just recognizing your strengths and weaknesses.

The best place to start is by looking at what you already have. Take an inventory of what policies, software and hardware your firm utilizes. Where are your weak points? Consider the business partnerships and data exchanges your company executes on a daily basis. In today’s interconnected business environment, our data supply chains create many access points to your customers’ data. Make sure you are doing your part to protect these connections. Understand and document how your partners are protecting your clients’ data. Some partners, like your custodian, may offer tools and assistance for improving your security. As a last line of defense, check your Errors and Omissions Insurance, many policies now include or require cybersecurity. If yours does not, consider a standalone Cyber-insurance policy. Keep in mind, having insurance protection is important, but it does not negate the need for proper processes and procedures in place.

“62% of cyber-breach victims are small to mid-size businesses, which are at the greatest risk for an attack. Their level of preparation is low, and the costs of customer notification alone can be enough to do a small company irreparable financial harm.” PropertyCaualty360

2. Make sure the IT/cybersecurity section of your employee handbook is up-to-date and enforceable

Establish a clear contingency plan for dealing with cybersecurity incidents. Make sure your plan has both preventative and reactive action items. Do you have a clear contingency plan set in place and a process for responding to cyberattacks? Do your employees know what is expected of them? To ensure this, create actionable steps for dealing with employees, clients, partners, members of the press, and police & government. Think about all of the levels of security at your company. Clearly lay out who has access to what and control administrative privileges accordingly (both with internal staff and outsourced vendors). For example, by limiting the ability to install drivers and execute applications can help control what gets onto your systems and prevent attacks like ransomware.

Lastly, recognize the impact of social media and create a policy specific to it. Not only does it distract employees, social media is a direct portal to cyber incidents. RIAs are prime targets for advanced phishing campaigns because much of their personal and business information is available online. Social Media should be monitored for both public and employee comments. Policies should restrict what employees can and/ or should be saying on Social Media accounts. Be sure to include any company social media accounts in your archive process for auditing purposes.

“Elite RIAs are more focused on maximizing their investments in existing technology as well as their partnerships with technology vendors.” InvestmentNews Research and BlackRock Elite RIA Study

3. Empowering your entire company to participate in awareness and rewarding employees when they do, can drastically improve your security

Building a culture of cybersecurity is one of the most important things you can do. Lead by example; regularly discuss cybersecurity in staff meetings and with other internal communication. Employees need to be empowered with knowledge and a shared commitment that goes far beyond the annual ‘check the box’ that you have read and understand the company IT policies. If an incident does occur, let your employees know about it. Not only will it help deter the impact of the incident, it will help your employees develop a team approach to cybersecurity. When employees alert management to mistakes early in the process, they are giving management the opportunity to prevent huge losses of time, data, and money. Specific ways that you can educate employees are by conducting mock cybersecurity drills, scheduling periodic ‘test’ phishing emails or phone calls. Discussions regarding recent and specific documented cases should be had in staff meetings. Question employees directly on how they would individually handle such situations.

In conclusion, the biggest stumbling block for registered investment advisors when it comes to guarding against cybersecurity breaches is not technology-based, it’s a people problem. The right technology is critical, but RIA leaders can face a bigger challenge in fostering a cybersecurity-sensitive culture in a way that resonates throughout all levels of their firms.

Read our ‘Managing Your Company’s Security Policy’ whitepaper for all 10 tips to help improve your firm’s cybersecurity.

Guest Contributor:

Wes Stillman is the chief executive officer of RightSize Solutions, a provider of cybersecurity and technology management services for wealth management firms.

Read More