With the Securities and Exchange Commission’s recently adopted cybersecurity rule, not to mention the other proposed cybersecurity rules still on the docket, it’s no surprise firms have begun to revisit and revise their cybersecurity programs.
Top five RIA cybersecurity FAQs
To help ensure your ongoing compliance, we’ve curated some of the top RIA cybersecurity questions and answers from past blogs, providing links back to the original source for even more detail.
How can my firm mitigate cybersecurity risk?
People: When it comes to protecting your firm from the people element of cyber threats, it all comes down to training. Train regularly and train often. Increasing your team’s awareness of threats like email phishing can help reduce the chance that an erroneous click in an email will give way to a costly cyber-attack.
Technology: To protect your firm, you must create and implement the appropriate policies and procedures designed to address the technological risk your firm faces. As each RIA faces unique challenges and risk points, it is essential for your firm to accurately assess any points of weakness which could result in a successful cyber-attack and mitigate those risks with the risk policies and processes to protect your firm, its employees and its clients.
Vendors: When it comes to vendors, it’s all about diligence. Vendor due diligence should be addressed both before the vendor relationship begins and on a regular basis thereafter, ensuring any third-parties comply with your firm’s requirements and processes.
Learn more about the three elements of cybersecurity protection.
What type of RIA cybersecurity training should my firm invest in?
Basic training and cybersecurity familiarity: Every firm should have a cybersecurity guidance handbook each employee has access to and is up to date with. This could include best practices for mobile device usage, password management, identifying potential cyber threats, social media behavior and other pertinent information. Update the handbook or send out bulletins as new threats are known.
The key takeaway – all employees need to complete the basic level of cybersecurity training.
Intermediate cybersecurity skills: Now that we’ve covered the baseline skills every person at your firm should know, let’s explore a few advanced skills required for specific job functions. As a common example, a human resources (HR) employee needs training on the recognition of Personal Identity Information (PII). An HR employee uses and sees this every day and should know how to recognize what should be protected and how.
Specialty cybersecurity training: Specialty training also focuses on cybersecurity best practices or risks specific to an employee’s job function. An example of a specialist requiring more robust training is an IT support technician, who needs to know the basic training, but also other types of information on risks, such as PII. Although they do not encounter PII as their normal daily duties, they still must recognize and know what it is so they can properly guide employees on the handling and protection of PII.
Learn more about cybersecurity training.
What is the NIST framework?
The NIST framework focuses on five functions: identify, protect, detect, respond and recover. Each function describes desired outcomes which are easy to understand, apply to any kind of risk management, defining the entire breath of cybersecurity and spanning prevention and reaction.
- Identify: Develop an organizational understanding to manage cybersecurity risks regarding systems, people, assets, data and capabilities.
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover: Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services which were impaired due to a cybersecurity incident.
Learn more about the NIST framework.
What is Virtual Desktop Infrastructure?
Virtual Desktop Infrastructure (VDI) is a desktop virtualization technology where the operating system runs and is managed through an on-premises or cloud data center. The virtual desktop environment is delivered over a network to the user’s device, such as a desktop, laptop or tablet, which allows the user to interact with the operating system and its applications, eliminating dependency on physical office space and physical computers.
Learn more about Virtual Desktop Infrastructure.
What risk do endpoints pose? What is endpoint protection?
“Endpoints” are any devices that connect to your network – including computers, phones, tablets, printers and more. And each time you connect a device to your network, you leave your firm vulnerable to cybersecurity threats.
That’s where endpoint protection comes into play – it’s the act of securing your devices and mitigating the risks of cybersecurity threats.
Learn more about endpoint protection.
RIA cybersecurity has been a top priority for many years now, and it doesn’t look to be changing any time soon. Ready to amp up your cyber protection measures? Schedule a demo of the RIA in a Box cyber solutions today!