Advice for RIAs to Manage Cybersecurity Risk in Today’s Environment: An Exclusive Q&A with Align Cybersecurity’s John Araneo
Cybersecurity continues to be an important focus for RIAs, particularly as more firms embrace the virtual and largely decentralized workplace, and both the SEC and the ODD community tighten the prevailing standards and expectations regarding properly safeguarding client data. Our team remains dedicated to providing the tools and resources you need to succeed, and we recently announced a partnership with Align Cybersecurity to keep our team up to date on the latest trends, innovations and news in the cybersecurity space.
The partnership provides us with direct access to some of the leading experts in cybersecurity, and we recently connected with John Araneo, the virtual Chief Information Security Officer of Great Valley Advisor Group. John is the Managing Director, Cybersecurity and General Counsel of Align Communications, Inc., a leading technology and advisory firm in the investment management industry, and he is a long-time investment management attorney and recognized cybersecurity expert. We are excited to leverage his experience for GVA’s benefit and the following post reflects a recent discussion with him in connection with GVA’s partnership with Align and its support of the GVA network, as well as his advice for RIAs. Here’s more from our conversation:
How will Align support GVA and its network of advisors?
Align provides cybersecurity advisory services for investment management and other types of financial services firms. We maintain a specific focus on this industry, have direct lines of communication with the SEC, and work directly with the investor community and ODD firms. My team follows the emerging cybersecurity standards and frameworks and studies the relevant regulations, rules, risk alerts and enforcement actions. We are focused on keeping a finger on the pulse of regulatory changes and best practices recommendations with regard to cybersecurity compliance in the investment management space.
Cybersecurity is a top-line regulatory issue, as well as an operational due diligence focal point. Align takes a unique approach to cybersecurity, and we believe we have “cracked the code” in achieving cybersecurity compliance. Fundamentally, cybersecurity is a multifactorial challenge that requires a multidisciplinary response, and so from the outset, Align assembled an elite team of distinct subject-matter experts in three core disciplines of technology, security, and regulatory compliance. Through our approach, we think we can help investment management firms — whether small or large — satisfy the unique regulatory requirements they face, as well as meet the prevailing ODD expectations to create an appropriately-scaled model cybersecurity program.
How can advisors begin managing cyber risks to their practice?
Cybersecurity has proven to be a challenge across the financial services sector and affects all investment advisers, irrespective of size, notoriety, investment program and/or AUM. RIAs are generally well-acquainted with managing the more conventional and typical risks associated with their business – market risk, liquidity risk, operational risk and compliance are examples. Cybersecurity risk, however, is an opaque challenge for RIAs, largely because it requires at once: (i) a fundamental understanding of technology; (ii) an appreciation of the prevailing cybersecurity frameworks like NIST and ISO; and (iii) an awareness of what regulators have said constitutes a model cybersecurity program. So many RIAs simply don’t know where to start, and lack the time and resources to apply comprehensive understanding to cybersecurity best practices.
While it’s true that there are several core elements of a model cybersecurity program, advisors shouldn’t “DIY” this and should instead identify a partner who understands all aspects of cybersecurity. Fortunately, there are some great cybersecurity solutions out there that are easy to implement, such as employee education, centralizing your policies into a standalone cybersecurity policy, and basic email monitoring and logging. However, it can be overwhelming to navigate the seemingly endless solutions that are marketed to RIAs at rocket-speed. Through the all noise and rancor of everything “cyber,” we’ve observed that to really start gaining on the cybersecurity arms race, the first step is to conduct an initial Cybersecurity Assessment that identifies a baseline of your cybersecurity posture, and illustrates the strengths, weaknesses and any glaring omissions from your Cybersecurity Program. Once this baseline is identified, you can begin to set a cadence and take a methodical and responsible approach to mature the Cybersecurity Program over time, treating it as a process as opposed to a project.
What does a strong cybersecurity risk management strategy look like?
Cybersecurity risk management is complicated because there is a matrix of emerging standards, rules and regulations, laws and best practices to consider across the spectrum of all different industries and regions. Your firm’s approach ultimately depends on where you sit in the world, the technology and information you use, and the customers you serve, as well as your work-flows and data-flows.
With that in mind, for investment advisers, the SEC has charted out seven categorical requirements that each financial advisor needs to consider in designing a model cybersecurity program. We refer to these domains as the “Cyber Seven,” and they include (1) Governance and periodic risk assessments; (2) Data loss prevention; (3) Access rights and controls; (4) Mobile security; (5) Employee training; (6) Vendor management; and (7) Incident response.
While regulators have worked to identify these core areas as the loose anatomy of a Cybersecurity Program, they have not provided direction on how to prioritize these seven areas. There is no cybersecurity checklist, black-letter law, bright-line rules or a safe harbor. The best answer, however, is that a strong Cybersecurity Program is one wherein the RIA can demonstrate it is engaged in the process of understanding its unique cybersecurity risk posture and give a full throated, confident response as to what controls are currently in place and those which will be determined down the line, as the program matures.
What are common areas of concern you observe in small-to-mid-sized RIAs?
Although the Cyber Seven are not prioritized within a finite checklist, several of these elements are considered more pressing and fundamental than others. There are two common issues we observe among -to-mid-sized RIAs:
- Not having a centralized policy in place – Advisors need to be able to demonstrate the cybersecurity controls they have in place via a centralized policy. We often see policies distributed among a compliance manual, an employee handbook or other documents with orphaned, singular policies about email use, internet and social media use, document handling, or privacy. These various policy arms need to be centralized in one, easily accessible place.
- A disconnect between policy and action – While some firms have a singular policy in place, actually following its guidance presents new challenges. It can be difficult for practice leaders to confidently confirm they are adequately completing certain policies and tasks. For example, some mandates are rooted in technology, making it difficult for the manager to see its impact. Other mandates are operational in nature, leaving managers unsure whether their teams are complying.
Beyond these primary issues, we see firms falling short on employee education and implementing basic data loss prevention controls, including multi-factor authentication, encryption, and a defensible password policy.
What is your best advice for advisors regarding their cybersecurity measures?
The first step is to establish a baseline through a Cybersecurity Assessment that is completed by a credible, industry-specific advisor, specifically one which understands how RIAs operate, the underlying regulatory regime, as well as their investors and stakeholders. This provides a clear perspective on the things you are currently doing, as well as analysis into where there might be gaps. Without this baseline assessment, further action will be fruitless.
The cybersecurity phenomenon itself is still somewhat nascent, but there has been a huge upending of the risk management paradigm amid the pandemic, as more businesses are operating in a remote and decentralized environment. Prior to 2020, the available cybersecurity controls assumed the goal was to protect the centralized network and the data on it. As more employees work virtually, the focus has shifted to protecting the data at the end point, meaning the laptop or other devices you use for work. Your workforce is operating in different ways, and yes, that requires different technologies to allow employees and the firm to function, but it also requires different cybersecurity solutions.
Do you have anything else to add regarding Align’s support of the GVA network and focus on RIAs?
My team has been focused oncybersecurity since 2014 when the SEC held its first roundtable on the subject. We have seen that a lot of advisors initially took a defensive posture and procrastinated on this, and as a result, are largely unfamiliar with the idea of cybersecurity and all the pieces of it. For a long time, it remained unclear to many RIAs as to what they were investing money in and what they were going to get out of it.
The SEC has communicated to our team directly that RIAs can outsource certain core cybersecurity functions while maintaining proper regulatory and fiduciary duty responsibilities. The compliance function is a good example of this, as it is well known that the SEC allows RIAs to outsource the function of compliance, but not the responsibility. The SEC has taken the same position with regards to cybersecurity. To really hit the mark on cybersecurity and do what you are supposed to be doing, you need to find an advisor who understands what the asks are holistically — meaning not just from the technological perspective, not just from the compliance perspective or not just from a pure security perspective, but from a lens that encompasses all three aspects.
Many advisors think a cybersecurity program is a large investment, suitable for larger enterprises. We formed Align specifically to avoid that problem and provide a much more cost-efficient, effective and credible exercise for all sorts of smaller enterprises. There is a way to identify and design an appropriately scaled cybersecurity program for every advisor.