The relationship between a registered investment adviser (RIA) and its client is built on trust. A large part of which involves the management and protection of an investor’s sensitive and personal information. In the past, this was done using locked file cabinets, ID badges and security cameras. But in today’s fast-moving digital world, an entirely new (and invisible) threat has emerged: cyber attacks. In fact, the average weekly number of attacks per organization worldwide reached over 1,130 in Q3 of 2022.
To provide continued data protection to investors, the Securities and Exchange Commission (SEC) has emphasized the importance of cybersecurity policies and procedures for financial firms and institutions. Here is a quick look at ongoing regulatory proposals, as well as what you can do to keep your firm compliant and protected.
SEC’s proposed ruling on cybersecurity disclosures
In March 2022, the SEC released a proposed ruling called the “Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure.” In keeping with evolving concerns about the safety of online data, this disclosure requires, among other changes, for cybersecurity incidents to be reported within four business days.
The SEC said in a recent statement, “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents.”
Under this ruling, registrants would be required to:
● Implement policies and procedures reasonably designed to detect and prevent cybersecurity incidents.
● Periodic reports including disclosure of past incidents.
● Report on ongoing cyberattack provisions.
How firms can adapt to cybersecurity compliance changes in 2023
The role of leadership within your RIA firm is to oversee and execute a proactive cybersecurity defense which allows your firm to both respond and recover promptly. In today’s tech-focused world, it’s no longer acceptable to play defense — cyberattacks and compromised data are real threats which must be properly prepared for. The SEC recognizes the “when, not if” likelihood of cyber threats and is pushing out proposed regulation changes in response.
Offer ongoing team training
With ongoing and robust cybersecurity trainings, every member of your team can serve as a first line of defense against cyberattacks or data breaches.
While your RIA firm’s senior members may be in charge of monitoring ongoing cybersecurity measures, every employee should have a good understanding of why a cybersecurity breach is dangerous. Help them learn how to spot suspicious emails, detect if their computer is infected, and report unusual activity to the appropriate team leader promptly.
Build a virtual wall of defense
Your network’s infrastructure should work in tandem with your cybersecurity policies and procedures to protect your firm’s information. Security of critical business and client data needs to be your firm’s top priority. However, this can be difficult to monitor and manage when team members work in multiple offices or remotely.
To address these hurdles, consider a virtual desktop infrastructure which allows your firm to maintain information security and compliance while empowering employees to work anywhere.
In addition, there are a few policies you can implement in your advisory firm to help further protect sensitive data including:
● “Acceptable use” or limited access to devices based on job responsibilities.
● Third-party vendor logs.
● Termination of access for former employees.
● Limited mobile device usage.
● Add an inventory of devices used.
If you don’t currently keep an up-to-date list of your tech stack, this may be helpful to create when it comes to adhering to future cybersecurity compliance requirements. Obtain and keep all vendor cybersecurity policies on file and have an appointed team member review the process of reporting an incident.
Prepare periodic reports
As mentioned earlier, it’s likely the SEC will begin requiring firms to maintain books and records of cybersecurity incidents and preventative measures. Internally, your firm may benefit from regularly running reports regarding safety and security. These can help identify potential vulnerabilities or provide assurance that your cybersecurity policies and procedures are working.
Examples of common cybersecurity reports include:
● Access reports.
● Patch management reports.
● Vulnerability and remediation reports.
● Virus scan reports.
Anytime you run a report, or experience a possible cybersecurity breach, keep detailed records. An appointed team member (or members) should know how to quickly access this information if needed.
Review your RIA firm’s cybersecurity policies regularly
By conducting and documenting regular reviews of your firm’s procedures, you can provide regulators with documented evidence of a cybersecurity program. In order to stay compliant with these ongoing changes, you should be able to prove your prevention and detection program is both up-to-date and flexible enough to adapt to new cybersecurity threats.
During reviews and revisions, be specific when documenting methodology, timing and responsible parties for the firm’s cybersecurity activities.
Test your defensive measures using simulated attacks
It’s helpful to know your strengths and weaknesses before an actual cyberattack occurs. To do this, your management team may find it necessary to conduct an authorized simulated cyberattack on your systems and infrastructure.
This test should help your team members understand their own roles in protecting sensitive information and give your firm an idea of the effectiveness of their defensive measures.
Staying compliant with your RIA cybersecurity in 2023
The SEC takes threats to consumer data and investor identity protection very seriously, including those which take place online. As demonstrated in 2022, they’re increasingly enforcing firm failures to comply with cybersecurity regulations regarding record-keeping and the safeguarding of client data.
As your firm continues to keep pace with evolving cybersecurity compliance concerns, you may find it helpful to partner with a qualified technology partner like RIA in a Box. We can help your firm leverage all the right resources and tactics to keep sensitive data secure.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.