Automating better compliance to meet new SEC requirements

Automating better compliance to meet new SEC requirements
Here's how to meet the regulator's cybersecurity demands to protect your client's data
MAY 15, 2015
Picture this, financial adviser. Last month, you obeyed a fraudulent email from the address of a longtime client, which told you to transfer $100,000 from the client's account to the account of a relative. Last week, you unwittingly downloaded a program onto your office network that's been copying all the login information for every program and client account you've accessed since then. And last night, you fired a disgruntled employee who subsequently went home and deleted all the information from your CRM … because the employee still had access to the server despite being terminated. Is this an extreme confluence of events? Yes. But this nightmare could become reality for any RIA or broker-dealer that ignores the myriad and constantly evolving cybersecurity threats attacking computers daily. The consequences extend beyond damage to the firm's operations and reputation. Regulators are taking note of data breaches and cracking down on firms that fail to prevent them. The Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued an alert in April 2014 detailing steps RIAs should take to shield clients from cyberthreats. Since late 2014, the OCIE has been conducting a sweep to examine over 50 broker-dealers and RIAs on its radar. The office calls on firms to create an IT governance system, assess their own risk of data breach, protect clients' assets, track how their technology interacts with third-party vendors and create written business continuity plans in case of disaster. Advisers should think twice before assuming their firms are meeting those guidelines. As with any regulatory involvement, a firm and its advisers could face disciplinary action depending on the nature of lapses in cybersecurity. Good thing proper cybersecurity isn't magic. Advisers and firms should take the following concrete steps to protect clients as well as themselves. Think of it as the ABCs of the SEC. No. 1: Create an IT governance program. A good IT governance program needs an executive to take responsibility for cybersecurity, whether that person is a chief security officer, chief technology officer or chief information officer. The role can also be outsourced. A governance program needs policies on acceptable use of software, email procedures, encryption, passwords, remote access, disaster recovery and so on. Policies are great, but the office needs a security awareness program to generate buzz among staff about its importance. Conducting regular training sessions is the only way to stop some attacks. No 2: Assess your firm's risk. Assessing a firm's risk of cyberbreach calls for asking hard questions about the way things are done in house. Answering those questions requires having an inventory of all physical devices and software your staff uses for work. Maps of all network resources should show locations where the firm stores client data. Running disaster recovery tests should give a sense of how well recovery would occur in real situations. No. 3: Protect your client's data. Protecting clients' assets may be the most important responsibility for an RIA or broker-dealer. That's why the OCIE says that firms should preserve all records relating to clients and assets, and that firms should easily access these records. What's more, electronic records should not be rewritable or erasable. Strong protection automatically blocks viruses and spam, filters out dangerous websites, configures redundant firewalls, offers secure remote access and locks down mobile devices. No. 4: Monitor your third-party technology vendors. The fact that a firm contracts with vendors doesn't absolve it of how that vendor handles client data. Broker-dealers and RIAs must know exactly what data every vendor has and perform due diligence to ensure those vendors are suitable. In order to monitor systems and processes, firms must save periodic audit logs from firewalls and server access tools, then analyze them and test their security. No. 5: Create a written business continuity plan. Business continuity plans lay out what to do if disasters like fires and floods wreck the firm's office space or data centers, thus destroying computers and preventing employees from getting to work. Many options exist. Expensive secondary locations can be built to mirror the primary site. Snapshots of network servers can get backed up to secondary data centers and restored when disaster strikes. Many RIAs and broker-dealers are turning to cloud vendors, which provide shared multisite configurations at a lower cost than building it themselves. Automating compliance with the cloud Cloud-based IT specifically built for advisers may be the most effective solution for automating a firm's security and compliance programs. It also helps satisfy the SEC on crucial guidelines. The cloud lets firms securely access their computer platforms from any location and from any device. More advanced cloud-based IT can serve as a virtual chief security officer. These tools use email and file archiving, web protection, security monitoring, multisite configurations and device management to safeguard client data and the firm's overall operations. Is the cloud mandatory? No. Advisory firms could attempt to build their own cybersecurity systems. But cloud computing is much easier than tackling the ABCs of the SEC alone. Sam Attias is vice president of the financial services practice at External IT.

Latest News

IRA assets swell to $19.2 trillion as 401(k) rollovers drive growth
IRA assets swell to $19.2 trillion as 401(k) rollovers drive growth

IRAs now hold nearly twice the assets of 401(k) plans — and most of that money didn't arrive through annual contributions.

Women feel confident about saving, but many still keep cash in low-yield accounts
Women feel confident about saving, but many still keep cash in low-yield accounts

A new survey finds that many women prioritize financial security but continue to leave savings in accounts that may not keep pace with inflation.

SEC seeks comment on prediction-market ETFs after May pause
SEC seeks comment on prediction-market ETFs after May pause

Roundhill, Bitwise and GraniteShares funds remain on hold while the agency weighs how novel ETFs should be regulated.

Dump investment banks, buy alternative asset managers, says Oppenheimer
Dump investment banks, buy alternative asset managers, says Oppenheimer

"Shares of alternative assets managers have lagged this year as investors grow wary of private-credit exposure."

TaxStatus rolls out rules-based tool to flag advice gaps
TaxStatus rolls out rules-based tool to flag advice gaps

The fintech platform is touting a new AI-free Planning Observations feature, which draws on IRS tax records to uncover opportunities for advisors.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.