Training — The key to better cybersecurity

https://www.investmentnews.com/wp-content/uploads/assets/graphics src=”/wp-content/uploads2018/12/CI118192126.JPG”
While the heart of the advice business remains the advisor-client relationship, technology has become a critical and ever-growing component. Whatever form technology takes — whether as an advisory tool, a service in itself, a communication vehicle or something new — more and more of the technology used by advisory firms is connected via the internet, creating an ongoing and increasingly critical management concern: cybersecurity.

Simply put, cybersecurity is an existential issue for advisory firms because a breach involving loss, theft or misuse of client data could spell the end of the business. Ironically, while technology spawned the cybersecurity issue, technology is not the solution for managing it, according to Adam Moseley, managing director at Schwab Advisor Services.

“Don’t think of cybersecurity as a tech matter; think of it as a people matter,” he told a packed room of advisors at IMPACT.

“Firms say that people are their weakest link, but you can take what you think is your weakest link and make it your best defense against cybercrime,” he said. “You can create a human firewall with the right training and education, and what you can accomplish that way is much greater and more effective than any technology. Focus on people first by making an investment in them.”

The need to focus on cybersecurity and the empowerment of firm personnel to bolster it is more urgent than ever, Mr. Moseley said.

“Threats are no longer a matter of ‘if’, they’re a matter of ‘when,’ he said, noting that his group is seeing all types of cyberattacks, including wire fraud, email account takeovers and phishing. “The biggest, most sophisticated firms have been compromised, but no firm is too small to be a target.”

To turn advisors and all firm personnel into a bulwark against cybercrime, Mr. Moseley outlined several steps for firm management to follow:

Establish and maintain specific written procedures and policies. When examiners from the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) visited broker-dealers and registered investment advisory firms last year, they saw many great practices but a lack of specificity in documentation, Mr. Moseley said.

“Creating written procedures and policies is probably the least exciting part of a cybersecurity program, but it’s an important way to communicate with staff, and it’s essential in documenting a firm’s efforts to the SEC,” he said.

Enforce those procedures. In its examinations, the SEC found inconsistent enforcement of established procedures. Firms should establish controls and conduct regular inspections to make sure staff is actually following the procedures in place.

Perform consistent system maintenance. “Some of the most significant data breaches at advisory firms are the result of compromised systems that haven’t been patched or updated,” Mr. Moseley said.

Follow the five-step cybersecurity framework. The SEC efforts in cybersecurity are based on the National Institute of Standards of Technology’s (NIST) five-step cybersecurity framework that firms should use as a roadmap for their own efforts. The five steps are: identify, protect, detect, respond and recover.

The first step involves taking an inventory of a firm’s hardware, software, data and input from vendors and third parties, noting particulars including purchase and installation dates and users.

Next comes protection, detection and response, which should include a penetration test, perhaps using an outside firm to issue a report on any vulnerabilities found and, then, preferably fixed. Resolution and recovery require having written documentation and then testing of procedures for how the firm would react in the event of a cyberattack.

Adopt best practices. According to Mr. Moseley, these involve:

1. Passwords. They need not be unnecessarily complex, but make them long (8 to 15 characters), and store them on a system you pay for.
2. Authentication. Use dual-factor authentication.
3. Personal computers. Don’t permit their use for company business.
4. Public wi-fi. Never use it.
5. Encryption. Encrypt all devices, media and information that could be lost or stolen.
6. Email. Because it is the source of most cyberattacks, “assume all email is guilty until proven innocent,” Mr. Moseley said.
7. Software maintenance. This should always be administered centrally, not left to individual employees.
8. No “fun.” Employees should not access games, social media or personal email on company equipment.

Finally, Mr. Moseley recommends enlisting clients in firm cybersecurity efforts.

“Clients are as concerned about the safety of their data, and cybersecurity in general, as advisors are,” he said, “They value your efforts at making cybersecurity a priority. Help them by creating educational cybersecurity videos and bringing in an expert from a local FBI office to discuss protection suggestions, which you can tie into a shredding party!”