When it comes to privacy, as a Hedge Fund or Registered Investment Advisor (RIA), the protection of your client's data is critical. A data breach might not only jeopardize your reputation but also result in hefty fines and penalties. Last year, the SEC fined an RIA for failing to have adequate cybersecurity measures in place before a breach occurred.
The SEC’s recently announced Regulation 206(4)-9; regulations that will outline cybersecurity expectations for all registered firms. These regulations will start to move the SEC cybersecurity rules into a more solid form.
Here are all 244 pages of the SEC proposed cybersecurity
It comes as no surprise that the SEC cybersecurity guidance places heavy emphasis on making sure safeguards exist to protect client information.
Here are some simple steps to follow if you are worried about your RIA’s cybersecurity compliance workflows.
1. Cybersecurity Policies and Procedures Manual
Regardless of how small or large your RIA firm is, you must have a rudimentary security plan in place to detect and react to potential dangers. The security program does not need to be comprehensive; however, it should contain the following essential components:
- Cybersecurity Awareness Training for all employees. (FieldCraft is awesome at this and FREE)
- Proper Password Hygiene Policies
- System Configuration Guidelines
- Vendor Security Requirements
- Incident reporting and analysis process for documenting and analyzing security events
Are you missing a RIA Cybersecurity Policies Manual?
2. Employee Technology Usage Agreement
The framework you come up with must be formally documented. Employees should all be required to sign a basic company security policy to demonstrate that the policy has been communicated to them. At MTradecraft, we call this the Employee Technology Usage Agreement. Annual security awareness training should cover things like how to choose a strong password and the risks of email-based “phishing” scams.
3. Lock Down the Fort
There are a plethora of security solutions available on the market. You don’t need to use all of the most recent and cutting-edge tools, but make sure you have a few of the fundamentals covered:
- a) Get rid of the Bring Your Own Device (BYOD) Policies
No. You cannot allow your employees to bring their own devices. If you knew all of the things your employees were doing on their cell phones then you most definitely do now want them bringing their devices onto a secure network. I get calls all the time asking “Well, what if I do this, that, and the other thing?” The answer is still No.
- b) 2FA/MFA
2FA/MFA is necessary on every system, whether it be a personal computer, work laptop, mobile device, or other networked device. You can’t use the system if you don’t have MFA. There is no excuse for not having 2FA/MFA in place, and the SEC and FINRA will fillet you alive if they find that to be the case.
- c) Email Encryption
RIAs frequently need to obtain sensitive information from consumers. Businesses must ensure that their personnel have a simple method for securely sending and/or receiving sensitive email messages and/or documents. You’ll want an encryption service for companies that use third-party hosted email services, such as Office 365 or Google Apps for Business.
In addition, only the people communicating can read the messages since they are encrypted end-to-end. This implies that no eavesdropper may get access to encryption keys needed to decrypt the conversation, including telecom providers, internet service providers, and even the company that operates the messaging service.
- d) Secure File Exchange
Cloud file-sharing services, such as ShareFile and Box, have become increasingly popular alternatives for sending sensitive documents via email. While these solutions do offer greater security than email, certain limitations render them potentially hazardous for storing personal data.
The major drawback is that they have total access to your stored data, which means if someone on their end decides to look at it (or more likely, their system gets hacked), your files are vulnerable. Another area where a service that encrypts the files from end to end might assist you is in reducing your risk.
- e) VPNs for Remote Access
Employees that travel frequently should have access to a Virtual Private Network, or VPN, for remote internet access. Most open WiFi hotspots and “Hot Spots” leave users susceptible to DNS spoofing and “man-in-the-middle” assaults, which can be combated by using a VPN.
- 4. Test your Security through Security Assessments
Once you’ve put your plan into action, you’ll want to conduct periodic testing to ensure that it’s still effective. Security awareness assessments may include a service hiring someone to create a fake phishing campaign against your users or having a vendor “scan” or “attack” your systems to find out if they are vulnerable to common security flaws.
Never expect to come out of the assessment with a completely clean bill of health. MTradecraft has performed hundreds of these audits and has never left an engagement without finding 7-10 vulnerabilities. It is unusual for an audit to come up empty.
It’s critical to grasp the technical and commercial consequences of these findings so that you can decide whether the expenditure required to address the problem is worthwhile.