Earlier this week, the state of Connecticut became the latest of many states to survey registered investment adviser (RIA) registered with the state on the topic of cybersecurity compliance. These moves follow a similar investment adviser cybersecurity compliance initiative that the SEC embarked on earlier this year.
As RIA compliance consultants, over the last few months, we’ve seen a number of states issue similar information security surveys including Idaho, Illinois, Ohio, Massachusetts, Missouri, and Pennsylvania to name just a few. In addition, in September, the North American Securities Administrators Association (NASAA) released the survey results from its recent cybersecurity pilot project conducted across 9 states. A look into this latest survey from Connecticut, which mirrors surveys issued by other states, should provide some guidance into what RIA firms should be considering when it comes to cybersecurity given the additional information security regulation that is likely to come in the future.
Some of the state’s key questions include:
- During your firm’s last fiscal year, what percentage of your firm’s overall expenses as directly related to information technology security?
- Who is responsible for the maintenance of your firm’s information technology systems?
- Has your firm experienced a cybersecurity incident?
- Does your firm conduct risk assessments to identify cybersecurity threats, vulnerabilities, and potential consequences?
- Does your firm have any policies and procedures in place as it relates to cybersecurity, electronic communication, use of social media, etc.?
- What forms of authentication are required by customers or employees to access electronic data storage devices?
- Does your firm utilize antivirus software?
- Does your firm’s website include a client portal?
A number of these key investment adviser information security issues are highlighted in our free RIA cybersecurity compliance checklist. In general when it comes to cybersecurity for investment advisory firms, it’s vital to remember some of these initial tips:
- There is no substitution for proper employee training.
- Properly updated antivirus software installed on all devices is a must.
- Every firm needs to not only establish the proper policies and procedures when it comes to information security, but also needs to test these procedures, and make frequent modifications as new issues are uncovered.
- Every firm needs to utilize a two-factor authentication system to access client information.
- Taking advantage of third party vendors that have information security expertise is a great way to help mitigate some of the key risks, however it’s important that the proper diligence be conducted.