Lessons in improving adviser cybersecurity

From an issue that was hardly a blip on the radar screen of adviser concerns just a few years ago, cybersecurity is now a top-of-mind concern at advisory firms of all sizes and at the industry’s chief regulator, the Securities and Exchange Commission.

“In fact, 90% of our advisers say it’s their number one compliance concern,” said Michelle Thetford, Schwab’s vice president for adviser services risk and controls.

Cybersecurity and all its ramifications were the subject of several formal sessions and of informal talks among advisers throughout IMPACT.

Gold-standard cybersecurity program: A five-step framework

For advisers wishing to build a “gold-standard” cybersecurity program, Michelle L. Jacko and Craig Watanabe, chief executive and senior compliance consultant, respectively, at San Diego, Calif.-based Core Compliance and Legal Services, Inc., offered a five-step framework based on guidelines from the National Institute of Standards and Technology.

1. Advisers should first identify potential cyber threats by conducting a self-assessment and then hiring a third party to conduct its own independent assessment. Firms should also conduct periodic vulnerability assessments run by outside qualified information technology specialists trained in security, so that a firm’s IT department is not testing its own work.
2. Second, advisers should protect against cyber threats by designating someone to be responsible for cybersecurity, defining what is covered by the cybersecurity program, creating reasonably designed policies and procedures, and ensuring that a clear supervisory and escalation structure is in place.
3. Firms also should mandate a two-factor authentication protocol and adopt and enforce a strong password policy in which passwords must be at least 10 to 12 characters long and expire every 90 days.
4. Detection is the next step, and if firms can afford it, they should employ intrusion-detection monitoring software. If they can’t, firms should periodically monitor firewall logs for unusual activity and employ “honeypots,” or locations within the network where seemingly attractive data is made available but access is monitored.
5. To respond to cyber threats, advisers should develop a checklist of action steps that will be taken. These often include an investigation into the event, communications with affected parties, analysis, damage mitigation and system improvements to be made.
6. Finally, recovering from a cyber threat involves developing and implementing plans for resilience and restoration of any capabilities or services that were impaired in a timely manner. Similar to a business continuity plan, a recovery plan should take into account various scenarios and the response to each.

“Because cyberattacks are the source of many significant business disruptions, cybersecurity has significant overlap with business continuity planning,” said Jacko, who noted that two of the hottest topics in advisory firm cybersecurity discussions are employee training — since 70% of breaches involve a compromised user — and the importance of due diligence on service providers.

The latter was the subject of another well-attended cybersecurity session at IMPACT. Moderated by Michelle Thetford, who works with Schwab’s Cybersecurity Resource Center, “The Cybercriminal’s Back Door: Locking Down Vendors to Avoid Cyber Break-Ins” focused on one of the SEC’s chief concerns — the fact that 74% of advisers examined by the Office of Compliance Inspections and Examinations have experienced cyber-attacks directly or through one or more of their vendors.”

Attacks through unprotected vendors can result in the loss of client data and pose risks in the area of fraud, brand and reputation, and regulation. Thetford said that the SEC requires firms to have policies and procedures in place for selecting, monitoring and overseeing vendors and contract terms. The SEC also wants firms to maintain lists of third-party vendors that have access to the firm’s network or data, as well as the type of service(s) provided by each vendor.

In a related session, Thetford and Jacko prepared advisers for an SEC cyber exam by reviewing the SEC’s recent Cybersecurity Examination Initiative, in which the agency has asked for information regarding firm policies and procedures for vulnerability scanning and penetration testing.

Robert Ross, an attorney and chief compliance officer at the New York-based Sontag Advisory, related his firm’s experience with a recent SEC cyber exam and noted that the SEC’s focus was on the documentation and evidence of the processes that were adopted and the level of technical detail the firm provided.

With all the emphasis on the prevention of sophisticated cyberattacks, Thetford observed that advisory firms must also keep their guard up for “plain old wire fraud,” especially where older clients are involved.

“Criminals never stop trying to steal money from client accounts,” she said.