Cybersecurity for the insecure RIA

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.investmentnews.com/article/20151118/TECH/151119915/cybersecurity-for-the-insecure-ria

Investment advisers have a great many reasons to feel anxious and not just
because of the stock market's volatility. Registered investment advisers
and investment adviser representatives face the risk of cyber attacks
against their firms and their clients. If those risks weren't enough to
cause advisers to be insecure, they also must be concerned that securities
regulators will criticize their efforts to address cyber threats.

Both the Securities and Exchange Commission and state securities regulators
assess RIAs' cybersecurity preparedness during compliance examinations. If
examiners are disappointed with an RIA's cybersecurity efforts, the
examination is likely to have an unhappy outcome.

In a June 25 speech, SEC Commissioner Luis Aguilar said, “Designating an
information security officer and carrying cyber insurance are both
commonsense precautions that have been shown to decrease the costs
associated with data breaches, and it's disappointing so many firms fall
short in these important areas.”

DON'T ASSUME YOU HAVE COVERAGE

Too many advisers assume they have cybersecurity coverage in their existing
policies. They should document that they have reviewed their coverage to
ascertain whether there is adequate coverage for cybersecurity events. As
with any insurance policy, RIAs should take note of exclusions and
deductibles. RIAs should make certain they have coverage for lawsuits
arising from a cyber attack. A good policy also will cover the cost of
notifying affected parties about the cyber breach. In addition, it is
beneficial to have coverage for the cost of technical support to ensure
that the cause of the breach has been identified and eradicated.

Policies and procedures show regulators that you take cybersecurity
seriously. These policies and procedures should require the RIA to identify
the cyber risks it faces and how the firm will manage them. Cybersecurity
policies should be designed to protect the firm's networks and information.
They also should address how the RIA will deal with the risks related to
remote customer access, as well as funds transfer requests.

Policies and procedures should specify what steps will be taken to detect
and eliminate unauthorized activity on the firm's website. In addition,
they should spell out the cybersecurity risks arising from relationships
with broker-dealers and other third parties, and how they will be addressed.

Cybersecurity policies and procedures should be communicated to all of the
people associated with the firm, and RIAs should conduct cybersecurity
training sessions. RIAs should also let clients and prospects know about
their cybersecurity measures.

CYBERSECURITY INTERTWINED WITH MARKETING

Prospective clients are likely to question an RIA's cybersecurity efforts.
If they feel insecure about your cybersecurity program, they may look
elsewhere for an adviser.

On Jan. 25, the North American Securities Administrators Associationissued
an advisory to warn investors that they should discuss cybersecurity with
their financial advisers. Among other questions, investors should ask
whether the firm they are considering has addressed cybersecurity threats
and vulnerabilities. Investors should also ask what safeguards are in
place, such as encryption, antivirus and anti-malware programs.

In August, Reuters reported that more RIAs are attempting to educate
clients about cybersecurity threats. A Pittsburgh RIA's seminar offered
advice to combat cyber attacks, such as using a two-step process to log
into email and creating stronger passwords. Clients were also given tips on
how to evade email phishing attempts.

Providing cybersecurity education to clients and prospects can help thwart
cyber crime and might be an effective marketing tool. RIAs should offer
cybersecurity tips in their newsletters or on their websites. At marketing
seminars or client events, RIAs should tell attendees what they do to
protect their clients' privacy and confidential information.

As part of its marketing effort, one RIA arranged for a shredding service
so clients and prospects might safely dispose of old paperwork and personal
documents. Another firm bought an identity theft protection policy for
clients.

LAPSES LEAD TO LOST CLIENTS

Cyber attacks can cause irreparable damage to an RIA. Once a firm has
suffered a cybersecurity incident, clients and prospects may become very
insecure about the firm's ability to protect their nest eggs. Furthermore,
after an incident, an RIA may find it much more difficult to convince
examiners that it takes cybersecurity seriously.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!