Advisors: How to approach a cybersecurity policy
Cybersecurity policy may still be very much a work in progress at the SEC, but officials increasingly are expecting advisors to have a baseline set of policies and procedures in place to safeguard clients' data, compliance experts caution.
Earlier this year, when the SEC announced a new cybersecurity initiative, the commission said that examiners would fan out to dozens of advisors and broker-dealers to gather information on "cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats."
That's a tall order, especially for small practices with limited resources.
So how should firms respond?
As a starting point, advisors need to understand that cybersecurity is not strictly a technical issue, says Jason Glass, an attorney with Bingham McCutchen who specializes in securities and regulatory issues. He notes that many breaches result from lapses in policies or a loose system of access controls.
"When you're thinking about your cybersecurity, it's not just cyber crime or terrorist attacks,” Glass says. "It's a about a lot of basic sort of blocking and tackling."
He suggests that when setting out to craft a cybersecurity policy, firms should start with a risk analysis, taking stock of the data they hold and the systems and devices they have in place.
A common weak spot in firms' information security operations is what Glass calls "cyber hygiene" -- basics like requiring strong passwords and employee training programs that cover things like steering clear of suspicious email attachments.
Likewise, firms can mitigate their risk by limiting the quantity of data they collect and the length of time they keep it, and strong encryption can make those data sets a harder target. Glass urges firm leaders to take an active role in establishing employee training programs to promote a culture of cybersecurity, coupling the issue closely with the firm's business objectives.
He stresses that advisors don't need to be experts in technical areas like network architecture to be responsible stewards of their firms' digital systems and data, and acknowledges that many small practices might not have the resources to bring on in-house security staffer. But he does argue that someone within the firm needs to have the designated responsibility to tend to security issues, such as ensuring that the patches that software vendors like Microsoft routinely issue are promptly installed on the firm's systems.
And, even if advisors aren't sure of the right questions to ask, Glass suggests that they bring up information security in their conversations with third-party vendors, putting down a sort of marker so the firm's partners are aware that cyber issues are a high priority for the practice.
Even in the absence of a formal rule from the SEC governing information security policies, in the event of a breach that compromises a client's information, advisors could be subjected to an enforcement action for failing to uphold their fiduciary duty of care, warns Duane Thompson, senior policy analyst at fi360, a fiduciary training firm.
Increasingly, advisors can expect cybersecurity issues to be a focus for SEC examiners, and the commission has put the industry on notice that small firms won't get a free pass.
"It's real. It's happening, and at some point, I don't think anyone's immune, whether you're a small sole-proprietor financial planning shop or JPMorgan," Thompson says. "If it does happen -- especially a small firm -- you get hacked, that could mean a huge disaster for your firm and your reputation."
Kenneth Corbin is a Financial Planning contributing writer in Washington.