When it comes to cybersecurity, these are unprecedented times. Unfortunately, breaches and hackers are the new norm. Further, regulations require that you, as a business owner, take the responsibility to keep your clients' information and identities safe. But safeguarding the vast landscape of security risk takes commitment, an understanding of risk exposure, and investment of time and resources. So, where do you start?
To help answer this question, my colleague Brendan Daly and I will outline some of the cybersecurity challenges for financial advisors, as well as how different regulatory agencies are addressing this vital issue.
FINRA Cybersecurity Conference
Recently, Brendan and I attended the 2016 FINRA Cybersecurity Conference, which was a great opportunity both to gather with industry peers and regulators and to discuss the cybersecurity challenges and risks we face on a daily basis. One theme was abundantly clear. That is, we are all in this together and have a common goal: to protect consumers from the constant onslaught of scams and the bad actors that perpetrate them. Being successful at this? Well, that’s a different and much larger story.
Best practices. The presenters and panelists at the FINRA conference highlighted the scams that financial professionals are seeing or eventually will see. But the most valuable takeaway was how financial companies can approach implementing a cyber-risk program and the plethora of best practices and resources that are publicly available. There was much discussion and guidance regarding cybersecurity frameworks—in particular NIST or ISO2 7001—and how advisors can use these frameworks as “blueprints” to identify and mitigate risk exposure throughout their organizations.
Information sharing. Another key topic of the conference was cyber-threat information sharing, which is quickly becoming an invaluable and necessary lifeline that enables us to proactively protect our most important assets. For the most part, the same scams are being launched against us all, but there are resources to share information and collectively mitigate these risks. One such resource is the Financial Services Information Sharing and Analysis Center, which financial institutions, broker/dealers, and regulators can use to share intelligence about threats and the actors associated with them. There are also groups like InfraGard, a partnership between the FBI and many different industry sectors that is dedicated to sharing intelligence to prevent hostile acts against the U.S.
Connecting, sharing, and preventing common exploits and attacks are very much possible when you have the vital intelligence. Understanding the importance of this, the Department of Homeland Security is moving forward with the Cybersecurity Information Sharing Act. The biggest piece of cybersecurity legislation we've seen, it was passed just last year and includes preliminary guidance on how the private sector and government will communicate threat data. (To learn more about this act, check out this post on the Data Protection Report.)
The SEC is another agency that has given cybersecurity special attention.
- In 2014, the SEC held a Cybersecurity Roundtable with industry representatives to discuss the importance of cybersecurity to the financial services industry.
- Shortly after this, the SEC conducted a Cybersecurity Examination Sweep: targeted exams of more than 100 broker/dealers and investment advisers that assessed firms’ overall preparedness to deal with cyber attacks. The sweep exams requested information and documentation on how firms addressed risks related to cybersecurity, including governance, policies and procedures, network security, remote access to client information and fund transfers, vendors and due diligence, and detecting unauthorized third-party activity.
- In February 2015, the Cybersecurity Examination Sweep Summary was released.
- In September 2015, the SEC announced a second round of cybersecurity exams involving more testing of firm procedures and cybersecurity controls.
- In its Examination Priorities for 2016, the SEC announced that it will continue to focus on cybersecurity as a high-priority marketwide risk.
These exams and announcements make clear that the SEC will be including cybersecurity as a component of its broker/dealer and investment adviser exams for the foreseeable future. Further, it expects broker/dealers, investment advisers, and other financial firms to implement information security programs based on a framework of industry standards, practices, and guidelines. In fact, many of the questions in the first Cybersecurity Examination Sweep came directly from the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. But what does this mean for you?
The SEC is currently conducting exams of broker/dealers and investment advisers of all shapes and sizes. During the exams, the SEC will ask to see the firm’s information security policies and procedures, interview staff, and request information on security incidents the firm has experienced. To prepare, firms should review the SEC’s releases, including the Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative and OCIE’s 2015 Cybersecurity Examination Initiative, and be ready to answer all of the questions contained therein. Also, expect a more in-depth exam experience, as the SEC has started asking much more technical and detailed questions than ever before.
The Commonwealth Solution
Here at Commonwealth—and what separates us from other broker/dealers—is that we believe our advisors should not be alone in managing the security risk of their organizations. Instead, we offer a service in which we wear the security hat and manage the necessary security hardware and software for our advisor offices: the Commonwealth Shield. Commonwealth designed the Shield in response to SEC, FINRA, and state regulations that define advisors’ responsibilities for protecting clients’ personal information. The Shield includes multiple layers of important security safeguards, including:
- Hardware firewalls
- User provisioning and access management
- Update and patch management services
- Secure remote access
The result? Our advisors get to spend less time worrying about security or trying to be security watchdogs and more time doing what they do well—being financial professionals.
Know the Risks
Whether your organization is large or small, someone has to assume the security hat. After all, the cyber thieves and hackers are committed—and they have the time, resources, and patience to achieve their goals. What we hope you take away from this discussion is that if you educate yourself on what the risks are and what strategies can be used to mitigate them, you will be taking an important step in safeguarding your business and the sensitive information of your clients.
Have you experienced any information security issues in your practice? What best practices have you implemented to protect your clients' information? Please share your thoughts with us below.