Contact us: 888-996-4642 | info@itegria.com

5 Things RIA Firm CEOs Need to Know About Cyber Security

All CEOs must understand their company’s security risks, but CEOs of Registered Investment Advisor (RIA) firms need to know their company’s security risks more than anyone. The SEC released survey results earlier this year indicating that 88% of broker-dealers and 74% of financial advisers acknowledged having experienced cyber-attacks, either directly or through one or more of their vendors. According to a study by Websense, financial services firms are hit by security incidents a staggering 300 times more frequently than businesses in other industries.

In April of 2014, after numerous headlines about hacking and data security breaches amongst big companies like Target and Home Depot, the SEC’s OCIE announced that it would be conducting an exam of 50 registered broker dealers and registered investment advisors with a focus on technology, including cyber security preparedness. Your clients demand and deserve protection, and the government will make sure your firm complies. There are no excuses for cyber unpreparedness.

In light of the potential for cyber crime and tighter regulations, we wanted to share 5 things every CEO of an RIA firm needs to know about cyber security.

Compliance

IT Compliance is critical for every RIA firm, and it can be challenging even for the most tech-savvy security and compliance specialists. Adhering to numerous technology-related compliance regulations is an absolute necessity for your RIA firm. The regulations and policies ensure that your organization has the appropriate controls in place to meet mandated financial industry requirements. Compliance violations can not only cause a huge reduction in client confidence, but also the fines for non-compliance can be significant.

A good compliance program outlines an internal framework that establishes communications and measurement procedures to ensure that the firm is able and consistently meeting government regulatory mandates. This doesn’t only apply to large enterprises. Small and mid-size RIA firms can implement robust procedures to protect themselves against cyber security challenges and meet the standards set by regulatory bodies by practicing a focus driven approach. To learn more about his approach, see How RIAs can Proactively Meet Cyber Security Standards.

While there is no way the CEO of an RIA firm can devote the time to stay abreast of changes in technology and cyber crime, he or she should be able to understand the framework established for the firm to spot areas that are out of compliance so the firm isn’t penalized for poor performance in a regulatory audit.

Reputational Damage

Your clients trust you to safeguard their money. A cyber attack can break that trust and even put a financial firm out of business. There’s nothing like a data breach to get a company’s name in the news these days.

CEOs of RIA firms need to ensure that they have a program in place to safeguard their own data, their clients’ data, and access to their clients’ money. Make sure the firm is equipped to quickly deal with the reputational damage a potential attack could cause. Having a plan in place before a cyber attack, will allow your firm to respond faster to any attack, safeguarding valuable client information. Don’t gamble with your firm’s reputation. Invest where needed to protect all parties.

Risk Management

Cyber security isn’t only about spending money on technology, it’s about having the right programs in place. CEOs need to talk with their CTOs, CIOs, or third party technology management providers to really understand how their investment in technology is supposed to protect them.

When it comes to cyber security and risk management, there are three types of risk to address — technical, financial and regulatory. For example, for technical risk the executive team needs to be asking if the right infrastructure is in place to prevent a loss of data and which data if lost would pose the greatest risk to the company. Financial questions should revolve around the financial impact to the firm if data is lost or compromised. Finally, to address regulatory risk, the CEO needs to know if the current cyber security, data protection, business continuity, or disaster recovery program will pass an SEC or FINRA exam.

By understanding the level of risk, the CEO can quantify the business case to invest in the technology, personnel, or a third party management service that fits the firm’s needs.

Company-wide Password Management

At ĪTEGRIA®, we are beginning to install and configure company-wide password vaults for clients (using programs like SecretServer, LastPass, etc.) Why? Because a firm’s network is only as secure as its weakest password. Password vaults allow a company to store its passwords in a secure area. These security applications limit access to company passwords via 2-factor authentication, remove access when needed, and track access of passwords for audit purposes. This is very helpful for compliance exams and audits. Using two-factor authentication is one of the best ways to keep a firm’s data safe and more secure. Every employee has to provide a second piece of — whether it’s a code, or a temporary password, or the swipe of a finger – before the firm’s account can be accessed. There are a variety of options available to make sure the password vault provides the protection your firm needs but is still easy for employees to use.

Setting the example

Not only do CEOs of RIA firms need to take the lead in cyber security preparedness to ensure their organization is capable of meeting cyber challenges, but CEOS must also walk the talk when it comes to cyber awareness and program compliance. In light of the devastating cyber attacks in recent years, a new push is underway in businesses for CEOs to begin measuring or evaluating themselves and each and every employee under their control as to the level of cyber awareness. Is the CEO and the management team walking the talk and holding themselves accountable to the same level of security and awareness? They need to be, to set the example for every employee. Train yourself, your employees and your vendors. Then make sure to walk the talk and adhere to the outlined company security practices.

Have any questions about cyber security, compliance exams, password vaults, or risk management programs? Give us a call at 888-996-4642. We are happy to help. We only serve RIA firms, so we understand the complexities of your industry and can share best practices in cyber security to help you protect your business.

You Might Also Like:

CEOs Need to Walk the Talk Regarding Cyber Security

Which Cloud Based IT Infrastructure is Best for RIA Firms?

3 Key Components of a Robust IT Compliance Program for RIA Firms