Check out this blog to learn more about the NIST framework for investment advisers and how you can proactively mitigate cybersecurity risk.
In 2023, cybersecurity risks are among the top concerns at registered investment adviser (RIA) firms. The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework to help organizations, including investment firms, of all sizes identify, assess and manage cybersecurity risks.
Notably, the Securities and Exchange Commission (SEC) utilizes the NIST framework to manage its own cybersecurity program. Many investment firms also refer to the NIST framework for information security guidance. With that said, this tool is relevant in the financial services landscape, particularly for investment advisers.
In this guide we’ll break down the NIST framework for investment advisers and give practical tips for how your firm can successfully apply these guidelines.
Breakdown of the NIST framework: Cybersecurity guidelines for investment advisers
The NIST framework focuses on five functions: identify, protect, detect, respond and recover. Each function describes desired outcomes which are easy to understand, apply to any kind of risk management, defining the entire breath of cybersecurity and spanning prevention and reaction.
- Identify.
Develop an organizational understanding to manage cybersecurity risks regarding systems, people, assets, data and capabilities. - Protect.
Develop and implement appropriate safeguards to ensure delivery of critical services. - Detect.
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. - Respond.
Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. - Recover.
Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services which were impaired due to a cybersecurity incident.
How can your investment firm adhere to the NIST cybersecurity guidelines?
In today’s digital world, cybersecurity risks are an ever-present threat to your firm and its clients. By applying and adhering to the NIST cyber guidelines, your firm can create a regulatory compliance program which safeguards your firm from cybersecurity threats, mitigating the potential for damage:
- Create and share an organization-wide policy which covers roles and responsibilities for employees, vendors and anyone else who has access to sensitive data.
- Monitor who logs on to your network and uses your computers and other devices.
- Use security software to protect data.
- Encrypt sensitive data, at rest and in transit.
- Conduct regular backups of data.
- Create policies and procedures for safely disposing of electronic files and old devices.
- Investigate any unusual activities on your network or by employees.
- Create policies and procedures for notifying clients, employees and others whose data may be at risk.
- Prepare for inadvertent events, like weather emergencies, that may put data at risk.
In the event your RIA firm does suffer a cybersecurity attack, it will have to report the attack to law enforcement and other authorities. It will also have to take measures to repair and restore the equipment and parts of the network which were affected. Your firm will also have to update your policies and procedures with lessons learned.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.