As a Registered Investment Advisor, or RIA, the privacy of your client’s information is of utmost importance. A data breach could not only cost you your reputation, but you may also be subject to steep fines and penalties if a data breach occurs. Just last year the SEC charged an RIA with failing to adopt proper cybersecurity policies and procedures prior to a breach that occurred.
The SEC’s Division of Investment Management recently issued a Guidance Update specifically focused on the cybersecurity of RIAs. It comes as no surprise that the guidance places heavy emphasis on making sure safeguards exist to protect client information. Here are some tips for RIAs to consider when determining which cybersecurity measures to implement.
1. Create a Strategy to Prevent, Detect, and Respond to Cybersecurity Threats
No matter how small your RIA firm is, you must have a basic security strategy in place in order to prevent detect and respond to potential threats. The security program doesn’t need to be comprehensive, but should include certain basic elements such as:
- Information security awareness training for all employees
- Policies around appropriate use of passwords and secure electronic communication
- System configuration guidelines for any on-premise systems
- Vendor security requirements for 3rd party service providers
- A process for documenting and investigating security incidents
The good news is that your IT services provider can likely help you develop this process relatively quickly. Don’t reinvent the wheel from scratch, chances are if you already use an IT services consultant they’ve done this for other clients already and can quickly leverage their prior work to develop something for your firm.
2. Implement the Strategy through Written Policies and Procedures
The framework you come up with must be formally documented. Employees should all be required to sign a basic company security policy to demonstrate that the policy has been communicated to them. Security awareness training should be conducted annually, and cover things like how to choose a strong password and the dangers of email based “phishing” attacks.
For third party vendors and service providers, it is also a good idea to develop a vendor security questionnaire and have them return a completed version of the questionnaire to you.
3. Implement Appropriate Security Technologies
There is no shortage of security products in the marketplace. You don’t need to use all of the latest and greatest technologies, but make sure you have a few of the basics covered:
RIAs frequently need to collect sensitive information from customers. Firms must make sure that they provide their employees with an easy to use method for securely sending and/or receiving sensitive email messages and/or documents. For firms that use third party hosted mail services, such as Office 365 or Google Apps for Business, you will want a service that provides end-to-end encryption. With end-to-end encryption, only the people communicating can read the messages. This means that no eavesdropper can access the encryption keys needed to decrypt the conversation, including telecom providers, internet providers and the even company that runs the messaging service.
Secure File Exchange
Many firms have opted to use cloud file sharing services, like ShareFile and Box, as an alternative for sending sensitive files via email. While these services do provide more protection than email, there are some caveats that make them potentially risky for storing sensitive taxpayer information. The most notable caveat is that they have full access to your stored files, which means that if someone on their end decides to view your data (or more likely, their systems get hacked) your files are exposed. This is another area where a service that provides end-to-end encryption of the files can help reduce your exposure.
Single Sign-On for Third Party Hosted Systems
Single sign-on providers like Okta and One Login enhance your overall security posture by providing a centralized system for authenticating access to external systems. These services also allow you to enforce strong authentication, like using Two-Factor Authentication, for sites that may not otherwise offer this level of security.
VPNs for Remote Access
Employees that travel frequently should have access to a Virtual Private Network, or VPN, that can be used for remote internet access. Most open WiFi access points and “Hot Spots” leave a user vulnerable to DNS spoofing and “man-in-the-middle” attacks that can be mitigated through use of a VPN.
4. Test your Security through Security Assessments
Once you’ve implemented your program, you’ll want to conduct periodic testing to make sure the program is working. Assessments can cover security awareness by hiring a service to conduct a mock phishing campaign against your users, or cover technical compliance by having a vendor “scan” or “attack” your systems to see if they are vulnerable to common weaknesses.
When conducting an assessment, don’t expect to come out of the assessment with a complete clean bill of health. It is almost unheard of for an assessment to uncover no findings. It is important to understand the technical and business impact of these findings so that you can determine whether the cost to address issue is justified.
SendSafely: Simple to Use End-to-end Encryption for Email and File Transfer
If you are an RIA looking for a simple to use email encryption and secure file transfer platform, consider taking a look at SendSafely. Our enterprise platform integrates seamlessly with Microsoft Exchange and Google Apps for Business.