Protecting client and company data from cyber breach should be a critical operations objective for Investment Advisory firms today. The risks reach beyond unsuspected internal hacks to software and servers, while cloud computing adds an additional layer of threat. Addressing procedures for protecting data as a corporate culture increases the chances of survival in the ever evolving cyber hack landscape.
Attackers use advanced skills and weapons to organize assaults. Long-term cyber attack strategists sneak in to systems and gather information for later use. Other criminals look for easy targets where they can steal money and disrupt business; including holding websites and proprietary data for ransom. Financial industry firms are particularly vulnerable to Web-App attacks and DoS (denial of service), as well as Insider threats.
Many RIA firms have not yet become adept at developing sound cyber security tactics. They leave themselves and their clients at risk for sudden loss of information, embarrassment, and unforeseen recovery costs. The first step in creating a cyber security strategy should be a comprehensive evaluation of risk and education of threats that exist.
Educating Investment firm staff on how to spot cyber threats can go a long ways in ensuring against attack. Large to small firms should to have a practical guide to inform employees on rules and procedures. Every list should include the basics:
- Never email sensitive data to clients. Use HTTPS secure portals and encrypted technology to handle exchange of information such as account information, wiring instructions, and passwords. Implement a secret code word with clients to ensure authenticity and verbally confirm transfers.
- When traveling, use only secure data connections. Free wi-fi access is often times a prime opportunity for criminals to gain access to your account data, log ins, and passwords. Be aware of your surroundings and be sure to protect view of your screen from onlookers.
- Train staff to identify suspicious emails, phishing attempts, and protect identity. Require virus scan and manager approval for downloading attachments. Remind staff to carefully protect confidential personal information on social media sites. Sharing information such as maiden names, middle names, and date of birth present an easy opportunity for thieves to take over identity.
- Require two-step authentication for secure systems. Hackers are known to use advanced algorithms and spyware to crack system passwords. Adding a 2nd layer of protection such as; thumb or hand print validation, or authentication images can stop a threat and identify an attempt for the IT department.
- Update passwords no less than every 3 months and use different passwords for separate systems. Once hackers discover a password, they will try it across other company systems and portals. Stop them cold by varying log-in id’s and passwords. Create alpha-numeric passwords and include special characters.
Cloud computing adds an additional level of threat to firms, in that firms generally don’t have direct control over the cyber security of their cloud resources. SaaS spending is showing a dramatic growth rate with cloud computing estimated to reach a worldwide sales volume of $127.5 billion by 2020 according to Forbes. This indicates the robustness of cyber security going forward will often times lay in the hands of those providing cloud resources. However, securities firms and investment advisers are still accountable for using poor judgment in cloud computing arrangements.
Have you tested staff, cloud services, and internal systems to see how they respond to potential threats? Can the staff identify a potentially malicious email or attachment and prevent an attack?
Evaluate the risks
For investment firms, loss due to cyber breach can incur further costs beyond repair, such as fines and sanction by authorities. RND Resources, Inc. will be covering regulatory guidelines and strategies at our New York compliance round table for RIA compliance officers and firms on June 29 2015. We’ll be covering regulatory guidelines and addressing the specific rules investment firms must follow.
RND has expertise in regulatory compliance and is able to assist firms in setting up security controls; and identifying procedures, policies, and standards to maintain data safekeeping.
Contact us to evaluate your cyber-security program, create a procedures checklist, and provide guidance on how to comply with regulatory standards. For quotes call (818) 657-0288.