Cybersecurity Best Practices for RIAs: Your Action Plan to Protecting Your Clients and Your Practice
In the last several years, investors have increasingly turned to virtual environments to engage with their professional partners, checking account balances, initiating trades and carrying out complex financial transactions all online. As the pandemic took hold, the trends shifted significantly toward an all-digital world, and it appears the RIA industry is embracing the new normal as well.
While the online environment offers many perks and efficiencies, it creates vulnerabilities among those who use it. In 2019, over 60 percent of compromised data originated in financial services organizations, according to research from Bitglass, a cloud security firm. This number has alarmed many, and the SEC is proactively working to mitigate the risk with increased scrutiny in its examination of financial services firms.
October is Cybersecurity Awareness Month, and the Cybersecurity & Infrastructure Agency-sponsored initiative presents the opportunity to assess your cybersecurity plan. Advisors need to take action to protect their practices and their clients, and there are some basic steps advisors should follow to ensure they are well prepared.
- Establish policies and procedures – RIAs must establish specific rules and requirements for staff around cybersecurity measures, including what team members should and should not do with regard to data. This cybersecurity guide should be customized to the firm and include checklists and best practices for the team’s standard workflow and any specialized needs. The rules and procedures for a small shop that relies on administrative staff for support will look quite different than for a larger team with dedicated client-facing personnel. However your team decides to manage the policies, it is smart to provide a copy for all team members so they have quick access moving forward.
- Assess your third-party vendors – It is not enough to have your own policies and procedures in place; RIAs need to assess the processes their partners and vendors follow too. Part of the vetting process should include a vendor review template that touches on key areas including the following: Has the vendor completed penetration testing? Have they experienced a data breach? Do they have cybersecurity certifications? Do their emails use proper encryption? Who has access to the data? How is the data protected? Advisors must take care to assess these high-level risk factors before engaging with an outside partner.
- Educate your team (and do it often) – Even the most iron-clad plans can be compromised by simple human error. Often, data breaches and security threats come down to phishing emails or scams and personnel who don’t know what to do. Even seemingly innocuous practices — like setting up your laptop in the local coffee shop while waiting for a meeting or leaving your computer unlocked while you run to the office kitchen — can create significant risk for the firm. It is essential that your team is smart about daily business activities and remains updated on the latest threats.
- Assess your vulnerabilities with stress testing – Any firm can go through simple cybersecurity training and check a box. However, the firms that will be most successful in protecting their clients and their practice are those who undergo stress testing and realistic data breach simulations. For example, conduct random phishing attacks and penetration testing to identify vulnerabilities and address them in real time. In addition, look for a partner who can provide guidance on what other RIAs have experienced and how they have successfully adjusted their approach to safeguard their data.
- Have your post-breach action plan ready – While the above steps will help mitigate your risk of a cyberattack, the reality is data breaches happen to even the most prepared among us. RIA practice leaders need to have an action plan that’s leveraged in the event of a data breach. This includes a detailed outline of next steps, specifically how the system is disabled; a communication timeline for alerting partners and clients; contacts at your technology and security partners; and more. It can even go as far as detailing client-facing offerings like credit monitoring services to help clients feel safe following an attack.
Don’t Forget to Share With Your Clients
Creating a cybersecurity action plan is an essential business practice in today’s environment, and the moves you take to protect your firm matter to your clients too. They want to know you are taking every precaution to safeguard their information and data. Let them know the work your firm is doing to educate and train the team, how you are vetting vendors and partners, and what your plans are in the event of a security breach. Such action adds value to your relationship with clients.
Our Commitment to the Network
Technology has become central to our lives, and as more people work remotely and conduct daily activities online, the network will become overwhelmed. It is essential to partner with a cybersecurity organization that can protect you as hackers become more sophisticated and adapt to our current environment. You want to feel confident that you have the right partner to support your firm.
Our team recognized an opportunity to fortify our cybersecurity practices, and within the last year, we began the process of reviewing different cybersecurity partners. Clients trust us with their most confidential information, and it is critical that advisors are confident in their ability to keep this data safe. We ultimately decided to engage with Align Cybersecurity, the premier global provider of technology infrastructure solutions, to keep our team up to date on the latest trends, innovations and news in the space. We are dedicated to sharing this information within our network so you are equipped to make informed decisions for your practice too.
We are continuing to spotlight the importance of cybersecurity during Cybersecurity Awareness Month and beyond. Be sure to check back for an exclusive Q&A on our blog with John Araneo, our virtual Chief Information Security Officer and Managing Director, Cybersecurity and General Counsel of Align. In the meantime, connect with us on LinkedIn and Twitter for our latest insight and team updates.