It’s no secret, cyber threats are becoming increasingly sophisticated, posing increased risk to registered investment advisers (RIA) and their clients. On top of which, regulators are increasingly prioritizing cybersecurity, proposing new regulations and including examination priorities specifically addressing this risk point.
Leaving RIAs to wonder: How can we effectively mitigate risk and meet all cybersecurity requirements?
The SEC and cybersecurity risk management
During a recent webinar, we asked the audience which newly proposed rule they were most concerned about.
The answer? 60% stated the proposed regulations regarding cybersecurity risk management topped their list of concerns.
An understandable sentiment given the SEC’s clear focus on cybersecurity and risk management. In fact, since early 2022, headlines from the regulatory body have included:
- SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
- SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit
- SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets
- SEC Reopens Comment Period for Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
The message from the SEC is crystal clear: cybersecurity is a significant risk point across financial markets, and they intend to address it through regulatory and enforcement activity.
Solutions to address cybersecurity risk management
So, how can RIAs keep up with cybersecurity requirements, arming their firm and protecting their clients from a potential breach?
1. Train and retrain your staff
Your people are your first line of defense when it comes to cybersecurity. Investing in the appropriate training and ongoing development will help secure and mitigate risk associated with popular cybersecurity attacks like e-mail phishing.
2. Invest in a virtual desktop
Virtual Desktop Infrastructures (VDI) use a cloud network, which offers multiple layers of security, far beyond what most businesses can afford on their own. The result? Your RIA firm can improve its ability to meet the SEC cybersecurity standards, especially Governance and Risk Assessment, Access Rights & Controls and Data Loss Protection.
3. Implement a vendor due diligence process
Today, almost all RIA firms utilize third party vendors which not only perform critical operations but also have access to sensitive client information. While these vendors support ongoing growth and operational efforts, they can open your firm up to new risk.
In order to mitigate such risk, firms should, among other due diligence tactics:
- Perform proper due diligence before choosing a vendor.
- Perform proper ongoing due diligence reviews.
- Conduct a regular vendor risk assessment.
4. Leverage endpoint protection
Every device within your firm poses a potential threat to your cybersecurity program. The answer? Endpoint protection protects your firm’s data from unauthorized access. By securing your laptops, desktops, smartphones and any other “endpoint” devices, you help mitigate the very real cybersecurity risk from end to endpoint.
5. Test your systems
While cybersecurity policies are a great first step, they aren’t the end-all-be-all when it comes to protecting your firm. You should conduct ongoing tests of your systems, such as phishing tests to ensure your people, technology and vendors are up to par.
Cybersecurity has been and will likely continue to remain a critical focus for regulatory bodies. Amid the sophistication and recurrence of cyber-attacks, firms must arm themselves with the proper defenses to help mitigate risk and reduce potential harm.
Watch our on-demand webinar, Navigating the Regulatory Landscape: COMPLY’s 2023 CCO Playbook Webinar, to learn more about the compliance trends and challenges facing our industry.