As Wannacry showed us, taking time out for proper technology management only seems cumbersome until your firm is hit.
RIA owners can follow these four steps to get the most out of technology while protecting themselves from cyberthieves. When advisers make smart decisions about technology usage, they are engaging in a pre-emptive strike against potential fallout from future cyberattacks.
1. Firm specs should dictate technology spend.
The numbers of employees and office locations should be key factors in determining the firm's technology strategy. A decentralized environment means every function and application — such as CRM,
financial planning,
portfolio management, billing, archiving or marketing — is managed independently and directly with vendors. This is a cost-effective and adequate route for a two- or three-person firm, assuming everyone is a trusted employee or partner.
A centralized approach means that one IT service provider manages security and access to all applications, which can help large firms or those with multiple offices. Centralization offers the opportunity to balance productivity with compliance and security by streamlining firm-wide supervision of routine and complex tasks — i.e., new software installations or updates, user control or security patches.
RIAs do not have to choose between these two extremes, however. Advisers who want oversight over certain applications to remain in-house but use an outside provider to manage the rest can seek out a hybrid IT environment for their firm's needs.
(More: Cyberattack should prompt advisers to ask their IT professionals hard questions)
2. For maximum ROI, stick to clear technology policies and procedures.
Developing consistent and enforceable policies and procedures is the most important thing an adviser can do to prevent cybersecurity breaches. It is also the most complex and time-consuming part of technology management.
RIA office manuals should contain concrete plans for managing a cyberattack. Preventative and reactive items should be clearly spelled out and understood by the entire firm. Advisers should create action plans for dealing with each of the firm's constituencies: employees, clients, partners, media, law enforcement and government.
When developing policies, advisers should consider all levels of security within the firm, who has access to what and control administrative privileges accordingly. Limiting the ability to install and execute applications will help control what gets onto the firm's network and prevent ransomware attacks.
3. Create specific policies for social media.
Social media is one way for today's advisers engage with clients and promote themselves. It is also a direct portal to cyber-incidents. Consider how much business and personal information is available online, and recognize that this is source material for advanced phishing campaigns.
RIAs should monitor social media for public and employee comments, and firm policies should restrict what can be said on professional and personal social media accounts, which are a treasure trove for cyberthieves. Advisers should also include any firm social media accounts in the archive process for auditing purposes.
(More: SEC alerts advisers on WannaCry ransomware cyberattacks)
4. Run disaster recovery and continuity planning drills.
For the most security, everyone must buy into the RIA's policies and procedures.
Advisers should train everyone in the firm to realize the critical role each person plays and that everyone is equally capable of causing major issues. Consider conducting mock cybersecurity drills, or scheduling periodic test phishing emails or phone calls to test working knowledge and how to handle clients. Everyone can be trained to recognize red flags such as emails asking for personal or credit card information, requests for immediate action regarding unfamiliar situations, or emails that include suspicious attachments.
RIA owners should also lead by example. Discuss technology matters in staff meetings and in other internal communication. Monitor and test for understanding of the firm's cybersecurity protocols. Be sure everyone knows when an incident occurs, and equally important, positively affirm the individuals who report mistakes early.
No RIA firm can be 100% cybersecure, but advisers are still on the hook for protecting themselves. Any adviser who has been the unwitting victim of a cyberattack knows that investing in time and resources up-front is well worth it. Protocols that were once dismissed as inconvenient or inefficient will either be the lifeline an RIA needs to protect itself, or a series of "woulda, coulda, shoulda" regrets as hindsight becomes 20/20.
(More: Editorial: Ransomware attack underscores importance of cybersecurity)
Wes Stillman is the chief executive officer of RightSize Solutions, a provider of cybersecurity and technology management services for wealth management firms.
