For small- to mid-sized RIA firms, a key part of cybersecurity compliance is completing a checklist or questionnaire from a broker-dealer or a regulator.
Q2 hedge fund letters, conference, scoops etc
Do you have a network firewall in place? Check. Anti-virus? Check. And so on. But checking all the right boxes doesn’t mean your firm and clients are reasonably protected against catastrophic data breaches and other cyber-crime.
Using a checklist, such as FINRA’s Cybersecurity Checklist for Small Firms, is a reasonable start toward a viable cybersecurity program.
But with this type of checklist, certain key items should include follow-up questions that will tell you whether these steps are truly effective.
Let’s look at five of the typical checklist items, and the follow-up questions you should be answering:
- Document the types of data you collect and where it’s stored.
Follow-up question: Do we really need to collect all this data?
The more data you collect and the more network drives, devices, and users have access to it, the greater you risk that data is being exposed and exploited.
The SEC and FINRA recommend that you inventory the types of data your firm collects and where that data is stored. As you do this, take an extra step: Ask what would happen if you didn’t collect this particular data.
For data you do need, ask whether you’re needlessly collecting it in more than one place. For example, do you store clients’ Social Security numbers in an investment account database and also in a billing database? If so, can you remove it from one of these?
- Password-protect systems you use to store, process or transmit PII.
Follow-up question: Do the users with access to these systems understand how to create effective passwords?
Passwords are among the most common protections for sensitive data. But they’re often the least understood. In fact, some firms will leave default passwords in place for network devices and software – hackers love that handy backdoor into networks.
Create a policy for generating strong, unique passwords and make sure your employees use it. I recommend a password management tool such as LastPass.
- Use a firewall, malware and antivirus cybersecurity software.
Follow-up question: Do you have a system in place to make sure updates and patches for this software are installed promptly?
When cybersecurity software runs in the background, where most RIAs rarely or never interact with it directly, it can be easy for updates and patches to be left uninstalled. That’s not a good option for a firm dedicated to safeguarding its clients’ money and financial data.
Read the full article here by Reid Johnston, Advisor Perspectives