Cybersecurity: The must-do steps for every Advisor
Cybersecurity: The must-do steps for every Advisor - Copy
Advisors grappling with the issue of cybersecurity can feel easily overwhelmed, given the enormity of the threat, the lack of resources, and the speed with which disasters can unfold.
Adam Moseley, managing director at Schwab Advisor Services™, offers advisory firms of any size not just hope but practical steps they can take immediately to manage such threats and dramatically bolster their own cybersecurity.
“Don’t think of cybersecurity as a tech thing; think of it as a people thing,” says Mr. Moseley. “The top concerns of firms—whether large or small and whether they were well prepared for cyber- threats— involved people. “There’s the worry that someone will click the wrong link or approve a fraudulent transaction or do something else, probably inadvertently, that would compromise the firm. The cybersecurity solution, therefore, must be centered on people. That involves establishing and enforcing standards and procedures, as well as continuous training.”
“With training you can create a human firewall that is stronger than any tech solution in protecting your firm from cyber threats.”
One reason why Mr. Moseley stresses the human over the technological is that cyber-criminals are coming up with new ways to steal data and break into systems faster than technologists can devise solutions. Perhaps equally important is that with training, advisory team members are better informed of the appropriate measures and best practices for protecting firm and client data.
Based on the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) Risk Alert, which contained observations from the SEC’s cybersecurity examinations, Mr. Moseley suggests three areas in which firms could improve their procedures and bolster training to protect them-selves and their clients, as well as to prepare for an OCIE cybersecurity inspection.
First is in the area of documentation, which the SEC has often found to be too general, too narrow, or not detailed enough to be useful. Firms should maintain up-to-date and complete inventories of the data, information, and vendors they use, as well as classifications of the risks, vulnerabilities, and business consequences connected with each of their vendors and service providers.
Second is inconsistent application of a firm’s own procedures. Some firms state that they conduct annual customer protection reviews, for example, when they actually conduct them less frequently. Mr. Moseley’s advice: “If you say you are doing something, do it—and document what’s being done.”
Finally, update and maintain the software you already have. “Most security incidents exploit vulnerabilities that are more than three months old, so it’s imperative to continually update and patch existing software and document the updates. The process is so important that it can’t be left in the hands of users and must become a formal role within the firm.”
“Technology is necessary, but solutions must be centered on people.”