Automating better compliance to meet new SEC requirements

Automating better compliance to meet new SEC requirements
Here's how to meet the regulator's cybersecurity demands to protect your client's data
MAY 15, 2015
By  Sam Attias
Picture this, financial adviser. Last month, you obeyed a fraudulent email from the address of a longtime client, which told you to transfer $100,000 from the client's account to the account of a relative. Last week, you unwittingly downloaded a program onto your office network that's been copying all the login information for every program and client account you've accessed since then. And last night, you fired a disgruntled employee who subsequently went home and deleted all the information from your CRM … because the employee still had access to the server despite being terminated. Is this an extreme confluence of events? Yes. But this nightmare could become reality for any RIA or broker-dealer that ignores the myriad and constantly evolving cybersecurity threats attacking computers daily. The consequences extend beyond damage to the firm's operations and reputation. Regulators are taking note of data breaches and cracking down on firms that fail to prevent them. The Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued an alert in April 2014 detailing steps RIAs should take to shield clients from cyberthreats. Since late 2014, the OCIE has been conducting a sweep to examine over 50 broker-dealers and RIAs on its radar. The office calls on firms to create an IT governance system, assess their own risk of data breach, protect clients' assets, track how their technology interacts with third-party vendors and create written business continuity plans in case of disaster. Advisers should think twice before assuming their firms are meeting those guidelines. As with any regulatory involvement, a firm and its advisers could face disciplinary action depending on the nature of lapses in cybersecurity. Good thing proper cybersecurity isn't magic. Advisers and firms should take the following concrete steps to protect clients as well as themselves. Think of it as the ABCs of the SEC. No. 1: Create an IT governance program. A good IT governance program needs an executive to take responsibility for cybersecurity, whether that person is a chief security officer, chief technology officer or chief information officer. The role can also be outsourced. A governance program needs policies on acceptable use of software, email procedures, encryption, passwords, remote access, disaster recovery and so on. Policies are great, but the office needs a security awareness program to generate buzz among staff about its importance. Conducting regular training sessions is the only way to stop some attacks. No 2: Assess your firm's risk. Assessing a firm's risk of cyberbreach calls for asking hard questions about the way things are done in house. Answering those questions requires having an inventory of all physical devices and software your staff uses for work. Maps of all network resources should show locations where the firm stores client data. Running disaster recovery tests should give a sense of how well recovery would occur in real situations. No. 3: Protect your client's data. Protecting clients' assets may be the most important responsibility for an RIA or broker-dealer. That's why the OCIE says that firms should preserve all records relating to clients and assets, and that firms should easily access these records. What's more, electronic records should not be rewritable or erasable. Strong protection automatically blocks viruses and spam, filters out dangerous websites, configures redundant firewalls, offers secure remote access and locks down mobile devices. No. 4: Monitor your third-party technology vendors. The fact that a firm contracts with vendors doesn't absolve it of how that vendor handles client data. Broker-dealers and RIAs must know exactly what data every vendor has and perform due diligence to ensure those vendors are suitable. In order to monitor systems and processes, firms must save periodic audit logs from firewalls and server access tools, then analyze them and test their security. No. 5: Create a written business continuity plan. Business continuity plans lay out what to do if disasters like fires and floods wreck the firm's office space or data centers, thus destroying computers and preventing employees from getting to work. Many options exist. Expensive secondary locations can be built to mirror the primary site. Snapshots of network servers can get backed up to secondary data centers and restored when disaster strikes. Many RIAs and broker-dealers are turning to cloud vendors, which provide shared multisite configurations at a lower cost than building it themselves. Automating compliance with the cloud Cloud-based IT specifically built for advisers may be the most effective solution for automating a firm's security and compliance programs. It also helps satisfy the SEC on crucial guidelines. The cloud lets firms securely access their computer platforms from any location and from any device. More advanced cloud-based IT can serve as a virtual chief security officer. These tools use email and file archiving, web protection, security monitoring, multisite configurations and device management to safeguard client data and the firm's overall operations. Is the cloud mandatory? No. Advisory firms could attempt to build their own cybersecurity systems. But cloud computing is much easier than tackling the ABCs of the SEC alone. Sam Attias is vice president of the financial services practice at External IT.

Latest News

Advisor moves: RBC swipes $1.7B UBS team, Baird duo departs for LPL's Linsco channel
Advisor moves: RBC swipes $1.7B UBS team, Baird duo departs for LPL's Linsco channel

RBC Wealth Management's latest move in New York adds an elite eight-member team to its recently opened Westchester office.

Stifel star broker, Chuck Roberts, leaves firm under cloud of investor complaints
Stifel star broker, Chuck Roberts, leaves firm under cloud of investor complaints

Stifel – so far - is on the hook for more than $166 million in damages, legal fees and settlements in investor complaints involving Roberts, a 35-year industry veteran.

iCapital secures $820M in latest funding, hits $7.5B
iCapital secures $820M in latest funding, hits $7.5B

The giant alt investments platform's latest financing led by T. Rowe Price and SurgoCap Partners, along with State Street, UBS, and BNY, will fuel additional growth on multiple fronts.

Merrill Lynch on the hook for $3.7M after clients claimed sale of unsuitable private equity
Merrill Lynch on the hook for $3.7M after clients claimed sale of unsuitable private equity

Some investors recently have seen million dollar plus decisions by FINRA arbitration panels involving complex products decisions go their way.

What does it take to feel 'financially comfortable' or 'wealthy' in 2025?
What does it take to feel 'financially comfortable' or 'wealthy' in 2025?

New report shines a light on how Americans view wealth today.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.