Reassessing cybersecurity in a changing world

There are two main forces changing the way registered investment advisers think about cybersecurity and operating a firm — regulators and remote work.

As the industry waits for the Securities and Exchange Commission’s final rules on cybersecurity, RIAs can take steps now to better safeguard themselves and their clients. In addition, advisers and staff need to be able to switch between applications securely, regardless of whether they are working in the office or elsewhere.

Remote work shines a spotlight on the issue of controlling access to data and applications. Although the in-office environment affords RIAs the most control over technology and systems, the majority of us are not going back to the office 100% of the time.

Protecting access to the firm’s technology, core business applications and systems goes beyond antivirus software and policies. It means multifactor authentication and encrypted passwords so that login credentials cannot be easily compromised. It also includes artificial intelligence-enabled data protection technology that actively studies user behavior to establish patterns and flag aberrations or disruptions as potential cyber-events so they can be immediately stopped and contained before cyberthief has successfully hacked into an entire system.

BUDGET FOR AN INCREASE IN CYBERSECURITY-RELATED SPENDING

It takes time and resources to protect a firm from breaches and comply with SEC rules. The increase in number and severity of cybersecurity attacks, coupled with a rise in enforcement, can only mean that RIAs will need to increase their IT budgets.

Outside of the costs of having the right technology and support in place, there are costs associated with cybersecurity assessments, which are based on audits of the firm’s actual security policies. There are also premiums for cybersecurity insurance to consider.

[More: iCapital receives patents for data security innovations]

RIAs may also need to account for a loss in overall productivity from advisers and staff as a by-product of having to complete cybersecurity assessments and related regulatory requirements.

DOCUMENT YOUR CYBERSECURITY POLICIES AND HOW THEY'RE BEING USED

The SEC’s longstanding recommendation to document cybersecurity policies and procedures may finally become a rule. Firms will need to write down how they address cybersecurity risks specific to their clients and operations.

Firms must also be able to show how policies are being implemented and demonstrate that they are protecting clients’ interests. This includes minimizing risks that can lead to operational disruptions or lost or theft of client information.

RIAs should already be documenting their cybersecurity policies and tracking incidents as part of business continuity planning and for insurance purposes. In the event of a data breach or cybersecurity attack, insurance companies want firms to provide a written record of their actions, policies and protocols.

A remote or virtual work environment means change for RIAs that were configured to have everyone in the office. Different technology is needed to secure a remote workforce, which has unique cybersecurity challenges. Remote work mandates that certain levels of security are in place to protect the firm.

Simply picking a product off the shelf without careful thought or change management will lead to frustration. The technology decision will influence how the firm works, shaping everything from workflows to security policy and operational protocols. Thoughtful, strategic implementation and management is critical. 

[More: Trade associations raise concerns about SEC’s cybersecurity proposal]

Wes Stillman is founder and chief technology officer of RightSize Solutions, which provides IT and cybersecurity management solutions to RIAs and other wealth management firms.