Should I ... Hire someone to oversee cybersecurity?
Regulators and clients alike are eyeing planning firms’ cybersecurity provisions. Some practices might even hire someone for that sole purpose.
But if you’re like many financial planners, running a solo business or a relatively small group of planners and administrative help, you might be able to handle your firm’s cybersecurity needs without creating another full-time job. You may already have someone on staff who is comfortable with technology and knowledgeable about its problems and solutions. Adding overseeing IT to this employee’s duties could be a sensible way to get the help you need.
That’s the situation at 1080 Financial Group in Sherman Oaks, California, where founding partner Stephen Rischall quarterbacks the firm’s cybersecurity efforts. “I’m 30 years old, and as a millennial, I’m comfortable with technology and implementing tech solutions,” he says.
“Twenty advisors might be the place where you need a full-time employee. It depends on the kind of practice you run, employee turnover and how much financial technology you’re using. The more technology and users you have, the more complex your situation.” - Stephen Rischall
The measures he implements, he says, are part risk management protocols, part business continuity plans. In addition to using his own knowledge, Rischall also keeps up with best practices by doing research, talking with other people in the financial planning industry, working with vendors and consulting with his firm’s attorney, who is well-versed in cybersecurity.
The results, he says, are solid. “We just went through a surprise audit with the state of California, and they commended us on the ways we’re using technology in our practice,” Rischall says.
1080 Financial Group is in the midst of a merger, after which it will have eight employees. Rischall says that he will continue managing the firm’s cybersecurity, a job that currently takes up no more than 10% of his work time, he estimates. “Twenty advisors might be the place where you need a full-time employee,” he says. “It depends on the kind of practice you run, employee turnover and how much financial technology you’re using. The more technology and users you have, the more complex your situation.”
Learning DIY cybersecurity: If you don’t have Rischall’s knowledge base, you can build it; so can someone who is already part of your team. Rischall suggests reading online about best practices. Check out websites that are aimed at advisors, but also look at resources that don’t have planners in mind, for other perspectives on protecting sensitive information. “Educate yourself on the requirements and know the protocols that your broker-dealer uses,” Rischall says. “A consultant or attorney who helps you with filings can also help, as can your custodian.”
“There were a ton of holes in our system. We lacked an additional firewall. We shared a router with other offices. There was no encryption on our computers, we had never tested our vulnerability, and we had no policies and procedures around cybersecurity.” - Rose Ybarra
Rose Ybarra, who is senior financial partner at two-planner Tranquility Financial Planning in McAllen, Texas, educated herself about her firm’s needs and then set about fulfilling them. “Before last year, we had a couple of security features in place,” Ybarra says. “Then we went to a TD Ameritrade system and realized that there were a ton of holes in our system. We lacked an additional firewall. We shared a router with other offices. There was no encryption on our computers, we had never tested our vulnerability, and we had no policies and procedures around cybersecurity.”
Ybarra and her business partner, Terrance Martin, started bringing themselves up to speed by talking to vendors at the TD Ameritrade conference. Then they read articles online, talked with their compliance person about necessary steps, and reached out to vendors of cybersecurity solutions, including financial reporting and planning software, cloud-based storage, secure client portals and client relationship-management portals. One vendor gave them a free test that showed their firm’s vulnerabilities.
Based on what they learned, Ybarra and Martin put up their own firewall, created an incident report and a manual detailing their cybersecurity policies and procedures, switched from sharing documents with clients through email to using a secure portal, set up security procedures for working from home, installed more robust anti-viral software than they had previously and starting locking their computers when they left the office.
Ybarra estimates that she and Martin spent between 15 and 20 hours educating themselves, another 15 to 20 hours on implementing the cybersecurity measures they chose, and three to six hours on quarterly review.
Outsourcing technology needs: If cybersecurity is something you don’t have the time or desire to learn, a vendor can provide what your company needs. Keener Financial Planning in Keller, Texas, uses the Safe Workplace program offered by True North Networks, based in Swanzey, New Hampshire, to supply its tech solutions.
“I thought our cybersecurity was pretty good, but True North has made it really good,” says Jean Keener, the firm’s principal. The vendor, she says, has installed a commercial-grade firewall, which it monitors for intrusions or suspicious activity. It created a secure VPN for Keener, selected anti-viral and anti-malware software, wrote custom policy statements and trained Keener staff in best practices.
“They provided training videos, and they send us test phishing emails to see if our employees will click on them,” Keener says. “You can have all the great technology in place, but really it’s the people who are the weakest link.”
Keener declined to say what she spends on True North’s services, though she says that there was both a setup cost and an ongoing fee structure. “I can comfortably say that the total is much less than we would spend on doing the work in-house,” she says.
Keener is happy with this solution. “Not only do we have a high level of security, but we can show that we have a policy, and we’ve implemented it. We were audited last year, and the regulators seemed really impressed.” For the foreseeable future, she says, Keener will outsource its cybersecurity needs.