This past month, the North American Securities Administrators Association (NASAA) issued a new cybersecurity risk alert encouraging investors that work with financial professionals to inquire about the firm’s information security policies and procedures. This new release comes only a few months after NASAA previously released the results of its registered investment adviser (RIA) cybersecurity compliance survey. In addition, the SEC released the results of its investment adviser cybersecurity examination sweep just a few weeks ago. Thus, it’s evident that RIA firms need to be very vigilant in regards to establishing the proper information security policies and procedures.
In the latest release from NASAA, the association of investment adviser state regulators notes that investors should be asking RIA firms about the following information security topics:
- Cyber preparedness: To be able to establish the proper information security procedures, an investment advisory firm must first step back and identify which threats and vulnerabilities pose the most risk to the firm. As an example, given the frequency of email communication with clients, many RIA firms are at risk of being deceived by hackers that impersonate a client and make a fraudulent wire request via email.
- Cybersecurity compliance program: Once the firm has evaluated what the greatest risks may be, it’s vital that the firm establish an information security policy as part of the firm’s broader policies and procedures manual. Employee training is a crucial component of any information security program.
- Cyber insurance: Unfortunately, traditional errors and omissions insurance often does not cover information security incidents. We are seeing more RIA firms invest in cyber insurance.
- Cyber expertise: More and more larger firms are beginning to engage outside experts to help them develop the proper policies, monitoring, and safeguards. One such expert firm that many investment advisers are turning to for assistance is Itegria.
- Cyber confidentiality: In order properly protect sensitive client information, it’s crucial that the firm perform the proper due diligence and have the proper confidentiality agreements in place with all third-party vendors that may have access to such information.
- Cyber incidents: While the primary goal of any firm is to prevent any incidents from taking place, it’s important that the firm have the proper systems in place to identify potential incidents and also have the proper procedures in place to handle the incident and make the proper adjustments to prevent similar incidents from occurring again in the future.
- Cybersecurity safeguards: To start, every RIA firm needs to install the proper anti-virus software on all firm computers. In addition, firms need to consider additional encryption and authentication capabilities to help protect against the theft of client information or client impersonation attempts.
As RIA compliance consultants, we strongly encourage the Chief Compliance Officer (CCO) of every RIA firm to review the firm’s current information security policies to ensure that they are up to date and have been properly tested.