The first step in measuring your cybersecurity preparedness is to track your metrics. Track your history of cyberattacks or attempts (distributed denial of service, network intrusions and data theft), procedures in place (encryption for all devices and email, Adobe Patch Coverage, Microsoft Patch Coverage and anti-virus coverage) and security awareness among employees.
There is a checklist from FINRA and a Cybersecurity Assessment Tool from the Federal Financial Institutions Examination Council (FFIEC) available to help advisors organize their data and determine risk levels. You can also take advantage of free web server encryption tests, which probe and analyze communication security.
Of course, the complicated layers of technology connection types, delivery channels, online products and services, and organizational structures within each practice make every advisor's risk unique. Consider hiring an outside IT advisor with credentials in cybersecurity and financial services to make the most of these assessments. Smaller operations where one person may be responsible for compliance, legal functions and the cybersecurity program are particularly advised to hire extra help.
As you evaluate how you'll protect client information and your own system operations, be sure to evaluate how your insurance will protect your business. Some firms and independent advisors leave it up to a cyber-coverage rider attached to their traditional errors-and-omissions coverage. These policies may not cover regulatory fines or all claims, therefore you may want to consider a standalone policy.
Preparing for Potential Cyber-Threats
Once you've understood your digital strengths and weaknesses, it's time to document detailed policies and procedures for all areas of your business.
Consider these six key cybersecurity areas, which are also the focus of OCIE examinations:
- Governance and risk assessments. These appraisals should be conducted no less than once a year. Conduct network and server vulnerability scans, maintain the latest antivirus protections in all devices and be proactive in managing patches. Software patching means updating systems and applications such as browsers, plugins, desktop apps, etc. If a system is unable to be updated, it's left vulnerable to hacking exploits. Server message block (SMB) protocols, widely used for file sharing between devices in Windows-based systems, have been attacked when not patched. The recent WannaCry ransomware attack wreaked havoc in more than 200,000 computers in businesses and institutions around the world this way.
- Access rights and controls. Encrypting software and hardware, and backing up data is common practice for businesses that handle sensitive information. Password protection and tracking log-in failures are also critical to security. Mandated password updates every 90 days could refresh your access-controlled front. Efficient use of data and tools is important to serving clients. However, limiting employee access to a "need to know" basis could prevent unnecessary human error or data mismanagement in the event of a personnel or system change.
- Data loss prevention. The Securities Exchange Act requires firms to preserve electronically stored records. Today, some advisors recently have turned to cloud-based data backup services. There are risks, however, in using a cloud for sharing data internally and externally – your control over the technology may be weakened or complicated. Data loss protection solutions include content scanning and inspection technologies to monitor and sometimes block data movement at three levels: client level (in operation), network level (in transit) and storage level (at rest). You should create policies well-defined for each level, so when data moves in and out of your network, a scan can assess the sensitivity of material and the appropriateness of the data location.
- Vendor management. Find out about your vendors' technical safeguards, such as limits on data access, virus protection, idle browser session timeouts, strong password requirements and encryption of data at rest or in transit. They should have regularly updated software and firewalls, as well as accredited audits. Ask about their physical and administrative safety; for example, data backups and shredding and disposal procedures. You'll want to complete this due diligence with each vendor on a regular basis, requesting verifying information for your records.
- Incident response. Here's where that insurance policy comes into effect. Documenting a business continuity plan, as required by FINRA, and internal or external distributions of sensitive information will help in making claims. Incident response was rated lowest in how challenging it was to implement in a cybersecurity plan, according to a 2016 FPA cybersecurity survey. Still, fewer than half of respondents indicated they had formally documented policies.
- Cybersecurity awareness training. About two-thirds of advisors spend just two hours or less annually on cybersecurity training, according to a 2016 Financial Planning Association assessment. You can always ask IT staff or vendors to see what can be done to bolster technical safeguards, but don't leave it there. It's imperative to educate yourself, employees and clients about potential threats.
— Read 6 Cyber-Threats for Financial Firms in 2017: Cisco on ThinkAdvisor.