Cybersecurity: The must-do steps for every adviser 

https://www.investmentnews.com/wp-content/uploads/assets/graphics src=”/wp-content/uploads2017/12/CI1136441219.JPG”
Advisers grappling with the issue of cybersecurity can easily feel overwhelmed given the enormity of the threat, the relative meagerness of their resources and the speed with which disasters can unfold. Adam Moseley offers advisory firms, of any size, not just hope but practical steps they can take immediately to minimize those threats and dramatically bolster their own cybersecurity, as well as the protections they afford their clients.

Leading a session at IMPACT 2017, Mr. Moseley — formerly a member of the technology consulting team at Schwab Advisor Services and now managing director of business consulting — had a message that at its core was hopeful, and perhaps surprising. 

“Don’t think of cybersecurity as a tech thing; think of it as a people thing,” he said, basing his possibly counterintuitive point of view on his experience helping advisers at firms of all sizes and at all levels of cyber preparedness.

The top concerns of those firms — whether large or small, and whether the firms were well-prepared for cyberthreats or not —involved people. 

“There’s the worry that someone will open the wrong link or approve a fraudulent transaction or do something else, probably inadvertently, that would compromise the firm,” he said.

The cybersecurity solution, therefore, must be centered on people. That involves creating and enforcing standards and procedures, as well as continuous training.

“With training, you can create a human firewall that is stronger than any tech solution in protecting your firm from cyberthreats,” he told the assembled advisers.

One reason Mr. Moseley stressed the human over the technological is that cybercriminals are coming up with new ways to steal data and break into systems faster than good-guy technologists can come up with solutions. Perhaps equally as important is that with training, advisory team members can use common sense and the many protective tools that already exist to do a much better job of protecting the firm and its clients.

Based on a recent report from the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations, which contained observations based on the SEC’s cybersecurity examinations, Mr. Moseley suggested three areas where firms could improve their procedures and bolster training to protect themselves and their clients as well as prepare for an OCIE cybersecurity inspection. 

First, is in the area of documentation, which the SEC often has found to be too general, too narrow, or not detailed enough to be useful. Firms should maintain up-to-date and complete inventories of the data, information and vendors they use, as well classifications of the risks, vulnerabilities and business consequences connected with each of their service providers and vendors.

Second is inconsistent application of a firm’s own procedures. Some firms state they conduct annual customer protection reviews, for example, when they actually conduct them less frequently. Mr. Moseley’s advice: If you say you are doing something, do it — and document what’s being done.

Finally, update and maintain the software you already have. 

“Most security incidents exploit vulnerabilities that are more than three months old,” he said, so it’s imperative to continually update and patch existing software, and document the updates. The process is so important, in fact, that Mr. Moseley believes it “can’t be left in the hands of users” and must become a formal role within the firm.

His other thoughts, suggestions and recommendations:

1. Client asset transfer requests: This is a growing area of fraud, especially elder fraud. Evaluate and authenticate every single asset transfer request, no matter how seemingly urgent. Some firms use Facetime to authenticate requests, since visual identification of the account holder is valuable.
2. Email: Mr. Moseley considers email “the single greatest threat.” He says every single cybersecurity incident he is aware of has come by way of email, and recommends that every person at your firm be suspicious of “every single email coming in.” 
3. Most common cyberthreats: Phishing, malicious links, social engineering, email spoofing, email account takeover, malware.
4. Outside resources: If you have cybersecurity insurance, ask your carrier for help in a cybersecurity assessment. Also ask about how conducting a drill or mock attack.
5. Passwords: Make them long — at least 15 characters in length — make them a phrase, and make then unique. Cracking one client’s or employee’s password often opens the door to cybercriminals cracking a multitude of accounts. Mr. Mosely says that not using dual-factor authentication when it’s available is very reckless and that using a password manager is fine, as long as it’s from a firm known for high quality that’s been around for a while. 
6. Public Wi-Fi: Never use it for company business.
7. Shredding parties: These are great client events in which you can teach important lessons about cybersecurity and have them bring in paper records they may be able to destroy. Local FBI offices often are happy to take part in these events. 
8. Use of non-company machines/devices: The most effective, if expensive, solution is for every device your employees use for business to be company-owned and used exclusively for business. Absent that, employees’ devices used for business should be added to the firm’s protective systems and procedures. Still, many firms don’t allow employees who use their own devices to communicate with the firm remotely.
9. Website filters: Use them at either the firewall or router level. Firms can filter by category (such as gaming, social media or personal email) and can set up a guest network for their employees’ and visitors’ personal email. Firms also should regularly wipe employees’ mobile devices clean of company information.