Contact us: 888-996-4642 | info@itegria.com

Valuable Cyber Security and Compliance Tips for RIA Firms

ĪTEGRIA® was asked to participate in a webinar with RIA in a Box to discuss how to put policies in place and better protect your RIA firm from cyber attacks. The webinar was a huge success but in case you missed it, we wanted to share some of the highlights of the webinar as well as provide you with a link to listen in on the replay.

G.J. King, President of RIA in a Box, kicked off the webinar sharing some great information on the regulatory landscape. Our founders, Richard Mabbun and Julian Makas, then answered specific questions from RIAs on how to protect their firm from cyber attacks. Here were some of the highlights of the presentation:

  • G.J. King shared that cyber security is the greatest threat to your RIA firm in the near future. Therefore, he emphasized that RIA firms need to establish a culture that takes IT security very seriously. Leadership needs to make it a business priority. Don’t have a strategy to meet security compliance standards, but rather have a robust strategy to protect your firm and your customers’ valuable data.
  • There are SEC regulations that need to be met in regards to cyber security compliance but don’t forget state laws, especially those that apply to data breaches.
  • So far, the SEC has taken action against RIA firms when:
    • They have experienced a data breach;
    • There is only a vague or no cyber security policy at all; or
    • Leaders failed to protect their portfolio management system by allowing employees to share login information or failed to disable user names after employees have left the firm, for example.
  • The SEC’s OCIE lists cyber security as top audit priority for 2015 which will continue in 2016.
  • In February of 2015, the SEC announced the 74% of the RIA firms examined had experienced some form of cyber attack.
  • In September of 2015, the SEC announced a second round of RIA cyber security exams with a focus on not just having a policy, but testing it.
  • Employee training is THE most important component of any RIA firm’s information security policies and procedures because employees unknowingly pose the greatest security risk to your firm.
  • What can/ must you do to protect client information:
    • Have a written information security policy
    • Employ “technical controls” to limit access and protect your systems and information
    • Test your policy and controls
    • Train your staff
    • Conduct periodic risk assessments
    • Have a plan in the event of a cyber attack
  • When it comes to testing your cyber security policy, think documentation! Show the SEC your written policy, any training that has been conducted internally, as well as any audit results and the steps you have taken to address issues.
  • Password management is a strong component of your security policy because it is often the weakest link in your security armor. Richard and Julian discussed the benefits of multiple factors of authentication because it offers the greatest level of security. Although the SEC will never mandate that you use password management tools, like Last Pass, these tools do allow you to create a more difficult, robust, and controlled methodology to protect access to your network. The SEC likes to see that you are taking steps to protect your data.
  • RIA firms should have a professional network audit done but make sure the level of test reflects the complexity of your system. If your security maturity is zero, for example you are just getting started with your security policy, then your audit should address the needs of figuring out where your data is, what needs to be protected, and how you are tracking access to that data. If your system is more complex then maybe a penetration test is where to focus your assessment. Find a partner you trust who will guide you on the right path and tell you the first steps that need to be taken before any pressure or stress tests are run on your security procedures.
  • Being able to access your data and network via Wi-Fi while traveling is such a productive saver. However, public Wi-Fi is very dangerous from a cyber security standpoint. Once you are on a public Wi-Fi network at a hotel, coffee shop, conference, etc. your data is wide open unless you are supplying a secondary level of encryption. When using public Wi-Fi, if you are conducting any type of transactions that requires data that you don’t want someone to see, then we recommend using an encryption technology.
  • If you are conducting business transactions over Wi-Fi, we recommend you log into your firm’s VPN (virtual private network) and then use a remote desktop access technology and conduct all of your business from that workstation within the office.

That was really only half of what was shared! Want to watch the whole video for even more on how to protect your firm from cyber attacks? Here’s a link to the cyber security webinar.

If you have more questions about cyber security and how to comply with SEC mandates, please give us a call at 888-996-4642. We are happy to help. We only serve RIA firms, so we understand the complexities of your industry and can share best practices in cyber security to help you protect your business.

ĪTEGRIA® will also be exhibiting at the Schwab IMPACT Conference Nov. 10-13th in Boston. We would be happy to answer your specific cyber security and compliance questions at either event. To set up a meeting with one of our technology specialists, please give Robert Madi a call at 224-563-3602.

Finally, we have a new cyber security solution in the works for clients who aren’t currently having us manage their IT network. Sign up for our newsletter to receive more information on that solution when it is announced.

 

You Might Also Like:

How to Make Managing Your RIA Firm’s Technology a Little Easier

Which Cloud Based IT Infrastructure is Best for RIA Firms?

3 Key Components of a Robust IT Compliance Program for RIA Firms