As the technology available to registered investment adviser (RIA) firms continues to become more sophisticated and often more secure, one thing has not changed: the weakest link of any investment advisory firm’s information technology security plan still remains the inadvertent actions of the firm’s individual employees. Regardless of whether the RIA firm is utilizing local or cloud-based technology, both types of infrastructure are quite prone to a staff member unknowingly allowing an unauthorized party to improperly access an employee’s computer and/or online account login(s).
Although, both the North America Securities Administrators Association (NASAA) and the US Securities and Exchange Commission (SEC) have issued some recent RIA cybersecurity guidance, there unfortunately is no set of rules that have been developed at either the state or SEC investment adviser regulatory levels. However, regulators have made it clear that they expect investment advisory firms of all sizes to be properly addressing information technology security issues as part of the firm’s required compliance program.
As RIA compliance consultants, some of the largest information technology security risks that we see employees expose RIA firms to that can be mitigated with proper system design, policies, and training are:
- Improper protection of a company computer or device. Regardless of whether an advisory firm is operating in a local or cloud-based technology environment, company computers and devices need to be secured at all costs. Any device that fall into the wrong hands is unfortunately likely to have significant amounts of sensitive client information (client files, account documents, client emails, etc.). This risk generally falls into two categories:
- Lack of strong password protection, hard drive encryption, shutting down, or screen locking of a device
- This risk is generally exploited when a third party vendor (e.g. a cleaning service, etc.) or an unauthorized third party has access to the company office after business hours or when a laptop or mobile device is lost or stolen.
- Proper technical protection of a device in place, but password is easily accessible
- This leads to a scenario in which an unauthorized third party can easily access a company device since, for example, the password to the device may be written down on a piece of paper or sticky note on the employee’s desk.
- Lack of strong password protection, hard drive encryption, shutting down, or screen locking of a device
- Using a weak password or the same password to secure company devices and access online systems. Unfortunately, there are dozens of free and widely available password cracking software tools. These tools can quickly crack simple passwords by implementing a “brute force attack” that tries millions of possible passwords. Also, if proper policies are not implemented, an employee may be utilizing the same password to access multiple systems and thus when one employeelogin account is compromised, the unauthorized party may now be able to also access many other sensitive firm systems with the same password. In order to reduce the risk of being easily cracked or exploited, employees need to follow these password protection tips:
- Create a strong password:
- Contain both upper and lower case letters
- Contain at least one number
- Contain at least one special character
- Be at least 10 characters in length
- Not contain any words found in a dictionary
- Not contain any personal information such as pet names or birth dates
- Not contain sequenced or repeated characters (e.g. 123456, qwerty, abc123, etc.)
- Protect passwords:
- Require staff to have unique, strong passwords to access each technology system (e.g. desktop computer, CRM system, etc.)
- Require staff to update passwords on a regular basis (e.g. monthly, quarterly, etc.)
- Never allow passwords to be stored in writing or in any computer file
- Never utilize the “Save password” feature on any web browser or application
- Never share passwords with other staff members or third parties
- Create a strong password:
- A staff member not properly protecting his or her own personal information that exposes the employee to a potential social engineering hack. Sophisticatedcyber criminals will look for information available online about an individual to try and reverse engineer what an employee’s password may be or what that employee’s answer to common security questions (e.g. high school mascot, mother’s maiden name, place of birth) may be. Unfortunately, answers to many common staff member security questions may be easy for someone to find online. In order to reduce the social engineer hacking risk, staff members ofRIA firms should consider taking the following steps:
- Do not make social media profiles accessible to the public
- Public LinkedIn, Facebook, or Twitter profiles can unfortunately reveal a lot of personal information including an employee’s place of birth, high school, dog’s name, etc.
- Be very cautious when accepting friend or connection requests
- Hackers will often create fictitious social media profiles in an attempt to gain access to information that individuals only “share with friends”
- Utilize more obscure security question options when available
- For example, instead of selecting “mother’s maiden name” which may not be too difficult for someone to discover online, instead utilize questions like “what is the last name of the teacher who gave you your first failing grade?” if available
- Use different security questions for different systems
- Similar to not using the same password to access different systems, staff members should try and not use the same security questions for different applications in case one security question answer is exposed.
- Answer security questions with fake answers
- Consider not answering security questions with the correct answer. If the staff member was born in Chicago, instead answer that he or she was born in San Francisco. Of course, the staff member now has the challenge of remembering what answers were given since they are inaccurate.
- Do not make social media profiles accessible to the public
- Not activating two-factor authentication for every system. Unfortunately, even strong passwords can be hacked and mistakes happen that inadvertently may expose employee passwords. Thus, it is critical that all staff members are required to activate two-factor authentication on all systems that allow for it. While no system is ever 100% secure even with multi-factor authentication deployed, it serves as an exceptionally powerful deterrent to potential hackers. What is two-factor authentication? The best real-world example is the use of bank ATM cards. In order to withdrawal money, an individual needs to possess both the physical card and the unique pin number. Having one without the other will not allow access to funds. Some forms of two-factor authentication deployed for technology system protection include:
- SMS or text message: Every time a staff member enters a password to access a system, they are sent a unique pin number which must be entered before it expires in order to gain access to the system.
- Security token or key fob: A unique physical device given to each staff member which creates random access codes that constantly change.
- Smartphone apps: One of the most common is the Google Authenticator.
- Not being able to properly recognize phishing or virus infected emails. Staff members need to be extremely vigilant when it comes to use of email. Some employee email policies to consider include:
- Never providing sensitive information clients unless utilizing secure email or a client portal
- Never open or download email attachments from unknown senders
- Never open or download email attachments from known senders that look suspicious
- Never directly click on or open any links sent in an email
- Be able to identify common phishing email warning signs including:
- Bad spelling, poor grammar, or typos
- A link to an unfamiliar company or website
- A suspicious email sender domain
- Requesting the recipient to enter login information
- Not having up to date anti-virus software installed on every device. While anti-virus software will not prevent all issues, it is a basic starting point that should not be neglected. When it comes to anti-virus software, it’s essential that staff members do the following:
- Ensure that the anti-virus software subscription is active
- Schedule all updates to automatically install
- Not properly confirming client wire requests. This risk is arguably the greatest risk that anyRIA firm must prevent from occurring as the results can be catastrophic both from a financial andreputational standpoint. In particular, third party wire requests (e.g. a client asking the firm to send money to a third party) often pose the greatest unauthorized fund transfer risk. Unfortunately, clients of investment advisory firms are frequently having their email accounts compromised and sophisticated hackers are immediately targeting the victim’s financialadvisor. Given that staff members typically receive wire requests from clients, it’s essential that thoughtful policies and procedures be established as it relates to fund transfers. Some policies to consider include:
- Requiring all third party wire requests or new client account requests to be confirmed verbally regardless of the urgency.
- Reviewing all wire requests for suspicious behavior such as time of request, atypical amount of request, different email language or signature, sense of urgency, etc.
- Requiring that the client establish and provide a secret word or phrase verbally before a wire transfer will be authorized
Use of Password Manager Tools
One common challenge for investment advisers as technology continues to become more cloud-based is helping staff members maintain strong and unique passwords for all the different logins required by the many systems. To solve this challenge, some RIA firms are beginning to explore the use of password manager tools such as LastPass. Some of the advantages of such a system include:
- The ability to centralize all passwords into one central system so staff members no longer need to remember multiple different passwords.
- The ability to use a two-factor authentication system, such as Google Authenticator, that does not require text messages which may result in additional staff mobile phone usage charges.
- Features which help an administrator better monitor access to firm systems and enforce password policies.
On the other hand, some of the drawbacks are:
- Additional cost of $24 per year/per user for an enterprise type subscription.
- By centralizing all systems into one master password, if that master password is cracked then all systems are now exposed through a single point of entry.
- It’s an additional piece of software to manage and train staff members on how to properly use.
As such, there is no clear answer when it comes to the use of password manager tools. LifeHacker addressed some of LastPass’ security concerns in a recent blog post that is a good read if considering implementing a password manager tool.
RIA Staff Members Can Never Receive Enough Training When it Comes to Cybersecurity
Given that staff members pose a significant inadvertent cybersecurity risk to investment advisory firms, the importance of thorough and frequent staff training and education cannot be understated. At a minimum, the Chief Compliance Officer (CCO) or other officer in charge of information technology security, should establish a robust information technology security policy and should hold a detailed annual training session for all staff members in addition to, or as part of the firm’s annual employee compliance training program. Furthermore, all new staff members should receive training shortly after being hired and cybersecurity should be a key component of an advisory firm’s annual risk assessment.