Amid mounting scrutiny from regulators, experts urge advisers to step up their policies and procedures to guard against cyber threats.
Advisers have heard the warnings and seen the headlines. Cybersecurity is a threat -- some say an existential one -- and it isn’t going away any time soon.
So how can advisers upgrade their security posture?
Experts agree that any effective cybersecurity program must be based on a rigorous evaluation of a firm's systems and processes to diagnose and address both internal vulnerabilities and those that can arise when working with third-party vendors.
But beyond that risk assessment, firm leaders from the principal to the chief compliance officer and the board must take steps to address the human element of the security challenge, according to Justin Kapahi, technical director in Miami at External IT, a cloud-computing services provider that works with registered investment advisers.
Many of the recent high-profile breaches have come as the result of “social engineering,” scenarios under which a scammer gains access to a system by tricking someone on the inside of the target firm, “all of which are very difficult to stop with technology,” he says.
“The biggest trend right now -- and I think people do realize they need this -- is to have an ongoing security awareness training program in the company,” Kapahi says.
“The bottom line is if the user isn't trained to play defense, you can't win the game,” he says. “You have to be constantly aware that people are trying to trick you.”
Kapahi recommends that firms consider a continuing training program that could include periodic all-hands meetings to discuss emerging threats and risks or presentations from outside experts.
He also suggests that firms put their employees to the test through security simulations, sending out a common type of phishing email to see how many people accede to an urgent request purportedly from a client demanding the swift transfer of funds to the Congo, say, or emailing around a PDF that, when opened, would simulate an infection by a Trojan.
It isn’t an idle concern. Regulators at FINRA and the Securities Exchange Commission put the industry on notice that cybersecurity is a top priority, signaling that more enforcement actions are likely.
“Cybersecurity cases are alive and well, and we anticipate we'll be seeing a lot more of them in years to come,” Brian Rubin, a partner at securities law firm Sutherland Asbill & Brennan in Washington, said during a recent online presentation.
Increasingly, regulators expect to see firms enacting and enforcing rigorous cybersecurity policies and procedures, which must include training programs geared to raise awareness of potential threats and scams throughout the firm.
Kennet Westby, president of the security and compliance firm Coalfire Systems, characterizes the cybersecurity risk-assessment and training programs at many advisory firms and broker-dealers as “fairly immature,” particularly compared with those at banks and other large players in financial services.
No proponent of government overreach in the cyber arena, Westby credits the RIA industry at least with a greater awareness of the cybersecurity issues but urges firms to get more serious about implementing a sturdy set of policies and procedures, citing the framework published by the Commerce Department as a helpful starting point.
“It's an adaptable, scalable one, so that's often where we start,” he says.
“Regulation is not the answer. I think most organizations and most individuals understand that this should be a business issue,” Westby says.
And the stakes are quite high.
“In many cases, it's a bet-your-business [scenario],” Westby says.
“Where in the larger organizations they may be able to manage it and weather through,” he says, smaller firms might not bounce back from the reputational hit and business disruption that a major cyber event can bring on.
“It could be the end of their practice,” Westby says.
This story is part of a 30-30 series on ways to upgrade your practice.