RIAs: How to build a cybersecurity backbone before the SEC calls
Cybersecurity is a serious game and independent registered investment advisors are up against some of the best criminals out there, simply because of the nature of this business. Since the stakes are so high, the SEC is intent on penalizing firms that lack a locked-down offense and defense.
As such, RIAs are responsible for protecting client data in all forms — including every electronic medium — not just email, but also text and instant messaging, according to the commission. That means protecting data across all apps and devices, and using only third-party vendors that apply similar rigor to safeguarding this information.
For advisors who thought they only needed to be experts at investing, financial planning and wealth management, these expectations may seem overwhelming and impossible to achieve.
For financial advisors who thought they only needed to be experts at investing, financial planning and wealth management, these expectations may seem overwhelming and impossible to achieve.
“I know I am responsible for this, but I don’t know where to start,” is an oft-repeated refrain.
For those keeping score at home, this might translate as, game over: Cybercriminals – 1; RIAs – 0.
But RIAs can do better.
If RIAs approach cybersecurity in a way that mimics how they work with clients, they can level the playing field and put some points on the board. Just as an advisor can be a client's financial coach, managing the big picture so that each member of the financial team helps the client to their desired outcome, they can also lead their own cybersecurity team.
By putting the right experts in place to do what they do best, RIAs position themselves for a highly desirable outcome in the event of a data breach or even a regulatory exam that includes a review of cybersecurity practices. This allows the advisor to be focused on what they do best — serving clients' wealth management needs.
It should relieve financial advisors to know that the best cybersecurity policies and procedures do not require them to know it all or do it all.
Still, as head of their firm's cybersecurity team, RIA owners must assemble the right experts and ensure that each player does their job. It's also important to emphasize that a well-functioning cybersecurity team does require active management; this is not a set-it-and-forget-it part of the business.
The team roster needs the following three key players: a lawyer who is also a compliance expert, an IT management expert and a designated C-level executive responsible for cybersecurity oversight. Whether they are in-house or hired from the outside, these individuals are responsible for developing and implementing a workable cybersecurity policy. How well this team works together will determine the success of the RIA's cybersecurity program.
Who does what?
For starters, the RIA's compliance expert — the lawyer — will set the stage for explaining what the ground rules are, based on regularly updated guidance from the SEC's Office of Compliance Inspections and Examinations, and on their own experience with SEC audits.
With this guidance in hand, the IT management expert should perform an audit of the RIA's current IT environment, with a focus on mapping out where the data is. As part of this assessment, the IT expert should explain the potential risks and identify opportunities to use technology to close these gaps.
Here's a side-benefit to this initial assessment process: It is not uncommon for the IT expert to uncover potential areas of cost savings for the firm, as well as areas for potential gains in operational efficiencies.
In 2016, the SEC brought a record 868 cases, including 173 against broker-dealers and advisers and 159 against investment companies.May 16
Working with the team's senior firm leader, the lawyer and the IT expert will map the RIA's cybersecurity risks to events that can trigger a breach. Defining the firm's exposure is the first step to creating a cybersecurity policy to govern exactly how the firm will protect itself.
Developing the playbook for tackling cybersecurity will take time. Like a coaching staff that pores over game tapes to come up with strategies for exploiting opponent weaknesses while shoring up their own, the team will put real effort into creating the game plan for building a strong cybersecurity backbone.
With a finalized and written cybersecurity policy agreed upon by firm leadership, the IT expert should be tasked with implementing procedures to enforce it, as well as handling monitoring, reporting and analytics for the RIA, in the event of a breach or audit.
Senior firm leadership is responsible for instituting cybersecurity training across the firm, as well as for modeling appropriate device usage to nurture the growth of a cybersecure culture.
The cybersecurity team does not dissolve once a policy has been developed and procedures are initially in place. The team continues to work on testing to ensure compliance, both by working through crisis scenarios and potentially even putting the firm through a mock audit, as if SEC auditors had just appeared at the door.
The policy is a living document, so the cybersecurity team must convene regularly to assess its effectiveness, making adjustments as needed. Monthly meetings are frequent enough to keep the team engaged in managing the firm's cybersecurity without lapsing onto auto-pilot.
The monthly meeting will also help keep the RIA accountable in the event of an audit. At these meetings, the cybersecurity team should review red flags that have been uncovered as a result of the enforcement of the policy, how these situations were remediated and the steps that have been taken to prevent reoccurrence.
The team should consider any new risks or potential events that need to be taken into account, including shifts to the RIA's business or overall operations: are we considering an acquisition or hiring a new vendor? What about new or exiting employees? Are we onboarding any large, new clients?
The team may also want to use the meetings to determine whether any updates or news from third-party vendors impact the RIA. If the firm opts to keep clients informed on cybersecurity, the handling of these communications can also be addressed.
Ignorance, apathy and non-compliance are no longer fallback options for RIAs that may have decided they were not interested in playing the cybersecurity game. What we have seen from the SEC thus far is that firms that fail to implement formal and rigorous cybersecurity management policies will pay a seven-figure price for violating the Identity Theft Red Flags rule, which applies to all SEC-registered firms and requires them to protect client data, regardless of their size.
This means it's time for RIAs to huddle up, update their playbooks and restart the game clock.
Though cybersecurity may seem complicated and daunting, RIA owners and financial advisors pay a steep price when they forfeit their obligation to protect their firms and improve their odds of winning. Advisors can get started on the right path by first understanding what their risks are and putting a team in place to keep them moving forward.