In the course of providing investment guidance to consumers, Registered Investment Advisors (RIAs) collect significant personal and financial information for their clients. Hackers have learned that targeting RIAs can be a fruitful source of valuable information. The Security and Exchange Commission (SEC) has turned its attention toward RIA cybersecurity, issuing strong guidance on how RIAs must protect themselves and their clients from cyber threat.
Earlier this fall, R. T. Jones, a St. Louis based RIA, agreed to settle with the SEC for a $75,000 fine after being victimized by a cybersecurity attack that resulted in losing significant client and prospect personal identifiable information. Additionally R. T. Jones had to contact all of the people whose private information was exposed. Finally the SEC issued a press release further damaging the R. T. Jones brand. Now when you google “R T Jones” the SEC website are the first two results. R. T. Jones learned the consequences of poor cybersecurity policy the hard way.
At the heart of the issue was that the firm violated the “safeguards rule” by not adopting written policies and procedures to ensure the security and confidentiality of personal information and by not putting even basic security controls in place to mitigate the risk of a cyber attack.
There are three things that every RIA should do to ensure that they are in compliance with the safeguards rule.
1) RIAs should perform a security assessment that answers a number of key security questions. What and where are the key information assets? What are the important security threats? What security controls are in place? What vulnerabilities, if any, could allow for a system to be compromise? For instance if an RIA were to have Social Security Numbers (SSNs), are they stored in an encrypted fashion? Is the organization protected from employees accessing unauthorized information? The security assessment should evaluate all of the top assets, the threats, the vulnerabilities, the controls as well as the potential impact of a compromise and the overall effectiveness of the current security program in place. The results of this security assessment is a useful tool to understand the organization’s security posture and as a baseline for building an effective security plan.
2) Once the assessment has been completed then the RIA should devise a strategy that is designed to prevent and detect cybersecurity threats with technical controls. There are four areas that must be part of the consideration set.
- Setting appropriate policy for authentication and authorization is a key element. That means that every RIA needs to have good password policy and management of user and system credentials. Authorization for key systems should be restricted to only those that need to have access to the system.
- The important data that was identified in the analysis area needs to be well protected which includes storing the data in an encrypted format and ensuring that all copies are encrypted as well.
- The network and systems need to be protected with proper network design, perimeter defenses, network detection and system hardening.
- The organization needs a breach remediation plan enabling response to unauthorized attacks on systems and data. The plan needs to be periodically tested to ensure that it is effective.
These technical controls will help to minimize the risk to the organization of a breach. They are not, however, sufficient.
3) The final part of the plan is to implement process controls via written policies, procedures and training. Every employee should know his or her role in protecting information and systems. Policies, procedures and training should include a plan for proper handling of confidential information and for managing account and system access properly. Plans for a security incident response must be included to prevent, detect and respond to threats. Monitoring compliance of the organization’s cybersecurity program must be in the place.
Implementing and maintaining a cyber security program might seem overwhelming to many Registered Investment Advisors. These organizations often do not have the in-house security expertise required for such a program. That is why organizations such as Fractional CISO provide the expertise to RIAs to be able to do the analysis, planning, implementation and program monitoring.
More information for our RIA cyber security assessment program can be found here.
Please contact us at Fractional CISO for more information.