Financial Advisor | 4/3/2017 | John Paul Cunningham
A data breach is a financial advisory practice’s worst nightmare. Not only does a breach have very rapid monetary fallout, but it also often devolves into a reputational fiasco from which few wealth managers can fully recover.
The clear choice here is to avoid these scenarios at all costs. In terms of preparedness, one of the best ways to become secure is by conducting a cybersecurity risk assessment to pinpoint the most vulnerable parts of a wealth management firm, as well as what the business can do to solve the problems that can trigger trouble.
To give you a better idea of how a cybersecurity risk assessment can help, let’s discuss some of the most important components of a cybersecurity risk assessment for a financial advisory practice.
Realize You Are A Target And Understand Your Value
Wealth managers often believe they are too small or too insignificant to be a target. This is rarely true—every enterprise has something of value, and any firm that manages people’s money, no matter what its total assets under management, will be targeted by cyber criminals. The first step in any cybersecurity risk assessment is to figure out exactly where the most valuable data resides within an advisory practice. Hackers perform extensive investigative work before fully initiating a data breach, and they’re often incredibly well-versed in how to access information that they can later sell. It’s the advisor’s job to identify the data that would be most attractive to a cybercriminal.
One reason why it’s such a good idea to start here is that you can actually begin to uncover simple problems that would have otherwise been overlooked. An example might be something as innocuous as repurposing older network switches to cut costs only to realize that this hardware can’t properly segregate network traffic, as was the case with Bangladesh Bank, according to the BBC. By simply taking the time to value and truly understand your practice’s data, you can start to see why cutting corners isn’t a good option.
Determine Who Can Access These Systems
Another major part of any cybersecurity risk assessment is to discover exactly how many people are able to access the information that you’re trying to protect and then to understand how a malicious insider or outsider might exploit that access. One issue that many wealth management firms seem to encounter is overextending administrative privileges, or simply over-privileging a single account for simplicity rather than segmenting access across multiple accounts. While only a handful of people should be allowed access, many wealth management organizations simply allow anyone with any level of power within the business to have access privileges. Admin privileges should be rare to find in your practice.
On a similar note, you will also want to establish firm policies regarding how people are allowed to interact with company assets. As Charles Cresson Wood pointed out in an article for TechTarget, businesses have the option to either come up with their own procedure or simply follow best practices. Leveraging standards such as ISO 27001/27002 or a framework such as the NIST Framework for Cybersecurity is a great way to establish a baseline of controls by which to measure your organization’s security maturity and effectiveness.
You Need Professional Help
Of course, while performing an assessment on your own generally is a good place to start, you should strive to have an outside assessment to validate your findings. Your wealth management firm’s IT department probably doesn’t have the expertise needed to flesh out all vulnerabilities or assess controls properly, and outsourcing assessments can be a more effective and accurate option to optimize your practice’s data security assessment and remediation strategy. You’ll want to ensure that any prospective provider is adequately qualified to get the job done right.
John Paul Cunningham is CIO and CISO of Docupace Technologies. He is a technology executive with deep expertise in technology governance, risk management and information security.
Docupace Technologies, LLC pioneered and implemented SEC/FINRA-compliant Straight-through Processing technology for financial services companies. Docupace’s cybersecurity and document management and workflow solutions simplify the process of capturing, organizing, routing and accessing information for broker-dealers and registered investment advisors (RIAs) that, under new government regulations, must keep thorough, secure records of documents that explain how they formulated recommendations that are in the best interests of investors. Docupace’s innovative products have been proven to significantly reduce not-in-good-order (NIGO) conditions on document processing submissions for financial services companies.
Docupace currently services over 1 billion stored documents from more than 500 Broker Dealers and RIAs. For more information, please follow @docupace.