Automating better compliance to meet new SEC requirements

Automating better compliance to meet new SEC requirements
Here's how to meet the regulator's cybersecurity demands to protect your client's data
MAY 15, 2015
By  Sam Attias
Picture this, financial adviser. Last month, you obeyed a fraudulent email from the address of a longtime client, which told you to transfer $100,000 from the client's account to the account of a relative. Last week, you unwittingly downloaded a program onto your office network that's been copying all the login information for every program and client account you've accessed since then. And last night, you fired a disgruntled employee who subsequently went home and deleted all the information from your CRM … because the employee still had access to the server despite being terminated. Is this an extreme confluence of events? Yes. But this nightmare could become reality for any RIA or broker-dealer that ignores the myriad and constantly evolving cybersecurity threats attacking computers daily. The consequences extend beyond damage to the firm's operations and reputation. Regulators are taking note of data breaches and cracking down on firms that fail to prevent them. The Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued an alert in April 2014 detailing steps RIAs should take to shield clients from cyberthreats. Since late 2014, the OCIE has been conducting a sweep to examine over 50 broker-dealers and RIAs on its radar. The office calls on firms to create an IT governance system, assess their own risk of data breach, protect clients' assets, track how their technology interacts with third-party vendors and create written business continuity plans in case of disaster. Advisers should think twice before assuming their firms are meeting those guidelines. As with any regulatory involvement, a firm and its advisers could face disciplinary action depending on the nature of lapses in cybersecurity. Good thing proper cybersecurity isn't magic. Advisers and firms should take the following concrete steps to protect clients as well as themselves. Think of it as the ABCs of the SEC. No. 1: Create an IT governance program. A good IT governance program needs an executive to take responsibility for cybersecurity, whether that person is a chief security officer, chief technology officer or chief information officer. The role can also be outsourced. A governance program needs policies on acceptable use of software, email procedures, encryption, passwords, remote access, disaster recovery and so on. Policies are great, but the office needs a security awareness program to generate buzz among staff about its importance. Conducting regular training sessions is the only way to stop some attacks. No 2: Assess your firm's risk. Assessing a firm's risk of cyberbreach calls for asking hard questions about the way things are done in house. Answering those questions requires having an inventory of all physical devices and software your staff uses for work. Maps of all network resources should show locations where the firm stores client data. Running disaster recovery tests should give a sense of how well recovery would occur in real situations. No. 3: Protect your client's data. Protecting clients' assets may be the most important responsibility for an RIA or broker-dealer. That's why the OCIE says that firms should preserve all records relating to clients and assets, and that firms should easily access these records. What's more, electronic records should not be rewritable or erasable. Strong protection automatically blocks viruses and spam, filters out dangerous websites, configures redundant firewalls, offers secure remote access and locks down mobile devices. No. 4: Monitor your third-party technology vendors. The fact that a firm contracts with vendors doesn't absolve it of how that vendor handles client data. Broker-dealers and RIAs must know exactly what data every vendor has and perform due diligence to ensure those vendors are suitable. In order to monitor systems and processes, firms must save periodic audit logs from firewalls and server access tools, then analyze them and test their security. No. 5: Create a written business continuity plan. Business continuity plans lay out what to do if disasters like fires and floods wreck the firm's office space or data centers, thus destroying computers and preventing employees from getting to work. Many options exist. Expensive secondary locations can be built to mirror the primary site. Snapshots of network servers can get backed up to secondary data centers and restored when disaster strikes. Many RIAs and broker-dealers are turning to cloud vendors, which provide shared multisite configurations at a lower cost than building it themselves. Automating compliance with the cloud Cloud-based IT specifically built for advisers may be the most effective solution for automating a firm's security and compliance programs. It also helps satisfy the SEC on crucial guidelines. The cloud lets firms securely access their computer platforms from any location and from any device. More advanced cloud-based IT can serve as a virtual chief security officer. These tools use email and file archiving, web protection, security monitoring, multisite configurations and device management to safeguard client data and the firm's overall operations. Is the cloud mandatory? No. Advisory firms could attempt to build their own cybersecurity systems. But cloud computing is much easier than tackling the ABCs of the SEC alone. Sam Attias is vice president of the financial services practice at External IT.

Latest News

Hightower taps Osaic alum Scott Hadley as first chief advisory officer, expands C-suite
Hightower taps Osaic alum Scott Hadley as first chief advisory officer, expands C-suite

Hadley, whose time at Goldman included working with newly appointed CEO Larry Restieri, will lead the firm's efforts at advisor engagement, growth initiatives, and practice management support.

Clients are nervous about volatility, but advisors know they need to stay the course
Clients are nervous about volatility, but advisors know they need to stay the course

Survey reveals how cutting through the noise is advisors' superpower.

Why the 'forgotten generation' is a powerful force in wealth management, consumerism
Why the 'forgotten generation' is a powerful force in wealth management, consumerism

Gen X is a powerful cohort that controls huge wealth but also faces retirement challenges.

RIA moves: True North adds $353M California RIA as SageView grows North Carolina presence
RIA moves: True North adds $353M California RIA as SageView grows North Carolina presence

Plus, a $400 million Commonwealth team departs to launch an independent family-run RIA in the East Bay area.

Top Commonwealth advisor to recruiters: Stop with the cold calls already!
Top Commonwealth advisor to recruiters: Stop with the cold calls already!

"I respectfully request that all recruiters for other BDs discontinue their efforts to contact me," writes Thomas Bartholomew.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.