FIN Family of Companies

Advisor prep for Data hacks and CyberSecurity Policies

By Cory Roberson, Principal at RIA Review and RIA Consults
On 10/31/17, we discussed tips for reviewing Disaster Recovery measures for your firm.  Now, let’s take a closer look at another possible standard business disruption (SBD):  Data Hacks.

Case Study (Equifax)

Seven Ways for Advisors (or Clients) to shield themselves during a hack

Contact Equifax to determine if you’re at risk.
Buy a credit report.
Purchase a credit monitoring service.
Request Credit Alerts.
Get a security freeze on accounts (prevents new lines of credit).
Change passwords.
Monitor statements.

What does the SEC say about this?

The SEC Office of Compliance Inspections and Examinations (OCIE) implemented a National Examination Program last summer and have posted several observations. The examinations focused on firms’ written policies and procedures regarding cybersecurity and included validating and testing that the policies and procedures were implemented and followed.


After examining Risk Assessments, access rights and controls, data loss prevention, vendor management, training and incident response they found a few issues that needed work.
The OCIE examiners found that many firms had not installed software patches, many of which included critical security updates. These updates help you make sure your clients’ personal information is protected and not available to folks outside your organization.
Also observed was the fact that, though most Advisors had policies and procedures in place, they only provided employees general guidance and were vague.

What about State-Registered firms?
According to an NASAA Cybersecurity Report (2017) of more than 1000 State Securities examinations:

4.1% of firms indicated that they experienced a cybersecurity incident.
85% of state registrants use computers, tablets, and/or smartphones.
 92% of firms use e-mail to contact clients (only 50% use secure email)
56.7% of firms have procedures to authenticate instructions received from their clients.
62% of firms have conducted a cybersecurity risk assessment.
44% of firms have procedures in place for cybersecurity.
47.5% have procedures for the storage of electronic data.

Conclusion

Firm Cybersecurity Policies should include the following:

Firm Cybersecurity Policies should include the following:
Maintenance and an inventory of data, information and vendors.
Detailed cybersecurity-related instructions.
Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities.
Established and enforced controls to access data and systems.
Mandatory employee training.
Engaged senior management.


Our Mission: “Serving the Investment Community to Make a Social Impact”

Compliance

FIN Compliance (FinCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), RegTech Products is a product notification portal for product offerings in financial service markets.

Business Listings

FIN Community (FINcommunity.io) is a business listing and network for providers in the Financial Services, FinTech, RegTech, Crypto and Blockchain communities.  We believe in supporting the gig economy through building business opportunities.

Impact


SoCap Missions (socapmissions.com) provides business support group sessions.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.





No comments:

Powered by Blogger.