Contact us: 888-996-4642 | info@itegria.com

How RIAs Can Proactively Meet Cyber Security Standards

Every day, clients entrust their investment advisors at RIA firms with valuable financial data. The kind of data that identity thieves would love to get their hands on. Account numbers, passwords, financial balances, and transaction history is all sensitive data that needs to be protected from potential cyber attacks. Not to be all gloom and doom, but just one cyber breach that exposes client data or leads to the loss of client funds could put an investment advisory firm out of business.

So, to run the best RIA firm possible, you need security in the same way that you need your Internet connection. The two must work hand in hand to keep your RIA firm both trustworthy and competitive for your clientele. In addition, information security is a significant initiative for the SEC this year. Every size investment advisory firm will be expected to start meeting information security standards with robust policies and procedures.

From an IT perspective, cyber security is a very specialized area that is both time and resource intensive. But don’t think that large companies are the only ones with the resources to really protect themselves. Small and mid-size RIA firms can implement robust procedures to protect themselves against cyber security challenges and meet the standards set by regulatory bodies by practicing a focus driven approach.

To help you be proactive in securing your firms’ and your clients’ sensitive data, here are some Common Red Flags or mistakes we see RIAs make that could make their technology systems vulnerable to a cyber attack.

“We hired an information technology consultant to set up some security procedures last year, so we are covered.”

Cyber Security is a never-ending endeavor.
You can’t put a procedure in place and think you’re covered. Your network environment is a living and ever changing entity that will move in and out of different states of secureness. Every day new bugs, viruses, corrupt software files and malware are discovered that could make your firm’s network vulnerable to a malicious cyber attack. Your security procedures need to focus on constant monitoring.

While in-depth periodic assessments help to stress the security measures which are in place to verify that everything is working as expected, ongoing scanning, patching and risk remediation are needed to keep your firm in a secure state.

“We have an internal systems administrator who keeps our IT running smoothly. We’ll be fine.”

Get Good Help.
System administration, or the role of a system administrator, tends to lean more toward the concepts of functionally, performance and availability. They have a tendency to focus on the “problems” and major components of the network, such as servers, routers, etc. Their job is to get the new hire up and running quickly, make sure your employees can access data remotely, and implement a robust procedure to back-up your data. They aren’t experts in cyber security. But, they don’t need to be.

You aren’t in the cyber security business. You and your system administrator need to focus on serving your clients and building your business.

Instead, outsource for the specialized help you need from a Managed Security Service Provider (MSSP), who will provide a systematic approach to deploying and managing cyber security solutions to meet your organization’s needs. But don’t just get help, get good help. Not every MSSP is created equal.

You want to find an MSSP that can help your firm:

  • establish secure computing standards;
  • develop a secure baseline for your computing environment; and
  • continuously monitor to maintain security and to react quickly to risks.

“I came up with a really good password back in ‘96 and I’m sure no one can figure it out, right?”

Passwords: The longer and more complex, the better.
Password security is one of the most misunderstood and despised aspects of establishing effective systems and data security protocols. Passwords are a nuisance, right? They limit access to data that you need immediately, there are so many of them that you can’t possibly hope to remember them all, and it’s so frustrating trying to get back into a system you’ve been locked out of. They make life more difficult on a daily basis.

However, computer systems today are becoming extremely powerful and network speeds just keep getting faster. These advancements in technology work against the protections offered by simple password schemes. It’s very common and effective for cyber criminals to attack and gain access to a network with nothing more than customized password guessing exercises. Attackers can setup automated systems with specially designed dictionaries consisting of hundreds of millions of password possibilities. The name of your first pet with the number 1 in front of it doesn’t stand a chance of staying secure.

We recommend to our clients that passwords be at least 15 characters long and include a minimum of one capital letter and one character symbol each at a random location within the password. For example, SecurIty!Pr084tect.

Other important aspects of a good password policy include changing passwords every 90 days and locking accounts for 5 minutes after 5 failed attempts.

Want to learn more?

To learn more about best practices in cyber security for RIA firms or to read about more common mistakes or red flags in your information technology network, check out our new book RED FLAGS: Recognize and eliminate the risks in your RIA firm’s Disaster Recovery, IT Compliance, and Cyber Security processes to safeguard your reputation and client trust. For a limited time you can download a Kindle reader version of RED FLAGS from Amazon for only 99¢. Grab your copy today to recognize and better control risks in your firm’s Disaster Recovery, IT Compliance, and Cyber Security processes.

Think you have an IT issue that needs immediate attention? Give us a call at 888-996-4642.

You Might Also Like:

3 Risks RIAs Take When Backing Up Their Data