What the Securities and Exchange Commission calls an "incident" in its Incident Response Plan, most people would call a "breach," Brian Edelman, founder of cybersecurity firm Financial Computer, said in a session on Wednesday at the TD Ameritrade National LINC 2016 conference.
For example, if an advisor's laptop is stolen and it isn't encrypted, that would constitute a breach; were it encrypted, it would only constitute an incident.
Neil Baritz, co-founder of Baritz & Colman LLP, referred to a case where the SEC fined R.T. Jones $75,000 following a breach over the firm's lack of written cybersecurity policies rather than any consequences of the breach, which put the personally identifiable information (PII) OF 100,000 people at risk.
Baritz stressed that firm personnel need to understand the role they play in protecting client information.
Preparing for the Inevitable
Craig Moreshead, director of compliance for Regulatory Compliance, said in a following session that firms can't prevent a breach, but they must take steps to minimize the impact. He said the chief information security officer can be an individual or a committee, and recommended forming a team including key members of the sales, human resources and technology divisions to be responsible for cybersecurity.
Firms also need to understand their third-party vendors' cybersecurity policies, as a lot of client data is actually housed somewhere else.
He stressed there's no cookie-cutter approach to creating a best practices policy. Advisors have to be introspective about their firm and what they need.
He added that a cybersecurity policy should also address physical data: who can access file cabinets, where are documents stored and who can access that part of the building.
Mobile devices need to be addressed, too. Regardless of who owns the device, if it's being used for work, it should be covered by the policy.
