The massive Equifax breach announced to the public in September 2017 only serves to fuel the daily angst I feel as the chief compliance officer/chief investment officer for our $200-plus million RIA. If Equifax, with its tremendous resources, can be compromised, what fate awaits us in an environment of unrelenting cyber warfare?
As a small RIA, we can't mount the same defense against cyber criminals as large, deep-pocketed firms. However, we still have the same responsibility to safeguard our clients' nonpublic information (NPI). This stark reality serves to crystalize our approach to building an adequate defense. Here is the foundation of our cyber plan:
- Acknowledge
We begin by acknowledging certain fundamentals about cybersecurity:
- We have a regulatory, if not sacred, responsibility to shelter our clients' NPI.
- Our resources are limited in the fight to protect client NPI. This is true in terms of dollars, tools and, most likely, comprehension.
- Protecting NPI is fraught with risks both real and significant.
- Whatever our plan and process entail, we monitor constantly and seek continuous improvement.
- Most of what constitutes cybersecurity is very technical in nature, way above our pay grade and well out of our wheelhouse of expertise, so we must assemble a competent team to assist us in this endeavor.
- We can delegate much of what should be done, but we can't delegate responsibility for protecting NPI. Ultimately, we shoulder the burden of protecting the personal information clients entrust to us.
- Assess
Guidance provided by the Securities and Exchange Commission and templates offered by organizations such as National Institute of Standards are, in a word, overwhelming. When assessing your cyber posture, it is very easy to lose your mind in the cacophony of these complex and often arcane materials.
Understand where the risks lie. Whether at rest or in motion, data is subject to compromise. In either case, we must protect our clients' information.
Inside the firewall are issues internal to our firm, outside of the firewall external issues related to the third parties with whom we work. Viewing cyber issues in this manner helps to maintain perspective and to digest manageable pieces.
Internally, assess people, systems and hardware. Is our team trained, aware and practicing sound cyber hygiene? Are team members following established processes? Do team members understand the importance of avoiding using firm systems for personal business?
Team members must comprehend that they risk a breach of our carefully constructed defenses when they conduct personal business on over our network. Specifically, our team should access their personal systems on our guest network, which is outside of the firewall.
Critically, employees are our greatest risk, and that risk simply falls into the realm of unintentional and unnecessary mistakes. They must be diligent and thorough; lazy and sloppy doesn't work.
Customer service standards may need to be adjusted. For example, verbal confirmation of wire transfers is a must, which may be a departure from current practices. Don't compromise, retrain staff and clients as necessary to conform to this environment. Beyond training, nurturing a culture sensitive to sound cyber practices and awareness is essential. Encourage staff to escalate concerns and problems quickly.