In the News

SEC to Advisors: Improve Cybersecurity Preparedness

Posted by In the News No Comments

View on Barron’s

Financial advisors have more work to do when it comes to protecting their systems from hackers, InvestmentNews reports, citing cybersecurity examination results released this week by the SEC.

“In general, the staff observed increased cybersecurity preparedness since our 2014 Cybersecurity Initiative. However, the staff also observed areas where compliance and oversight could be improved,” the SEC noted in its exam risk alert bulletin.

Advisory firms should more closely adhere to their stated cybersecurity policies, keep current on security patches and correct all vulnerabilities detected, the SEC noted. These observations stem from examinations of 75 firms, including broker-dealers, investment advisers and funds conducted from September 2015 through June 2016.

Read more at Barron’s

Compliance held responsible for due diligence with cloud computing

Posted by In the News No Comments

View on Compliance Reporter

As information technology and data storage continues to move further toward cloud computing, the responsibility for compliance and due diligence remains with firm’s chief compliance officers, according to Vice President of Solutions and Security at External IT, Justin Kapahi.

“The responsibilities don’t really change. There was a lot of confusion around this thinking that if you outsource you remove those responsibilities, but the truth is these vendors are still just a partner of the firm,” Kapahi told Compliance Reporter. “It is still their responsibility to make sure they have the right policies, software and that they were working together.”

Read more at Compliance Reporter

Article from InvestmentNews

SEC risk alert calls on advisory industry to do more to shore up cybersecurity

Posted by In the News No Comments

View on InvestmentNews

Financial advisory firms are getting more advice from federal regulators on steps they should be taking to protect their information systems from hackers.

Advisory firms need to do a better job of following their stated cybersecurity policies and they should correct all the vulnerabilities that periodic tests reveal, according to results from a new round of cybersecurity examinations by staff at the Securities and Exchange Commission.

Advisers also need to do a better job of keeping the firm’s security patches up-to-date, the new SEC exam risk alert said. It contained findings from 75 cybersecurity exams of advisory firms, broker dealers and funds conducted from September 2015 through June 2016.

How Advisors can Ensure Client Data is Protected When Working Remotely

Posted by In the News No Comments

View on iris.xyz

Mobile devices have made it possible for financial advisors, and professionals in a wide variety of other industries, to seamlessly conduct business and engage with clients in any location, and at any time, outside the office. But while laptops, iPads, and smartphones have enabled advisors to complete work and collaborate with colleagues and clients from home and on the road, these mobile devices can also increase the risk of security breaches if they are not properly secured and monitored.

One misplaced or stolen mobile device, or password, is all it takes for hackers to access clients’ sensitive financial information. Advisory practices whose data is compromised can not only face regulatory scrutiny and fines, but also permanent damage to their reputations which could put their very survival in the industry in jeopardy.

However, advisors don’t need to sacrifice convenience for effective cybersecurity. Below are tips that advisors can follow to make sure all data, documents, and emails on their firm-approved mobile devices are secured against hackers.

1. Implement Multi-Factor Authentication & Other Security Controls on All Mobile Devices

Cyber-criminals, along with the technology systems they seek to infiltrate, are becoming more and more sophisticated. So, needless to say, it shouldn’t be easy for them to figure out a mobile device’s password. Unfortunately, hackers are quite crafty, so advisors need to add an extra layer of protection to their firms’ mobile devices by implementing two-factor authentication. This authentication process requires users to enter a standard password in addition to a one-time code that can’t be entered again when they connect from unrecognizable devices.

Advisors can further secure their firm’s mobile devices by rolling out security controls that enable certain authorized users, as opposed to all practice employees, to access client data. These controls ensure that only select employees can download, copy, forward, or print sensitive information from their devices.

Centennial State Sets Cybersecurity Example

Posted by In the News Think Advisor No Comments

View on Think Advisor

New regulations in Colorado set ‘commodity security’ apart from robust cybersecurity practices

Justin Kapahi, vice president of solutions and security at External IT, is excited about a new set of cybersecurity regulations for financial institutions that were recently passed in Colorado.

The Colorado Division of Securities published final rules in mid-May that compel broker-dealers and investment advisors to establish and maintain written cybersecurity procedures designed to protect clients’ personal confidential information. Those procedures include using secure emails that employ encryption and multifactor authentication practices for employees to access databases, among other things.

Kapahi believes these rules will go a long way toward helping financial advisory firms in Colorado understand how best to protect themselves from hackers. Even if most firms in this industry have in place what Kapahi calls “commodity security” (firewalls and anti-virus protection, for example), many are not truly equipped to counter “socially engineered threats” like spam emails that look innocuous but can result in major database breaches.

How To Ensure Cloud-Based Tech Vendors Are Truly Secure Partners

Posted by In the News No Comments

View on WealthManagement.com

If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, then you are placing your practice and your clients at serious risk.

In our digital age, most wealth management firms have embraced cloud-based — a.k.a. “software as a service” (SaaS) — technology solutions for their practices. But as SaaS applications and platforms continue to overtake traditional licensed software as the tools of choice for the wealth management industry, financial advisors looking to make the transition to the cloud should proceed carefully.

Given the significant repercussions that wealth management firms can face after a data breach, such as loss of clients, regulatory fines and permanent damage to their reputations, they need to perform extensive due diligence on potential SaaS vendors to make sure client data will not be compromised. If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, or if the companies it contracts with are vulnerable, then you are placing your practice and your clients at serious risk.

Article from InvestmentNews

Cybersecurity looms as adviser business threat

Posted by In the News No Comments

View on InvestmentNews

U.S. officials have warned for many years that cybercrime is one of the greatest threats facing the nation, and now financial advisers have to face the reality that their businesses are also vulnerable to digital attacks.

News headlines regularly carry stories of broker-dealers and advisers increasingly being targeted by sophisticated hackers aiming for clients’ personal information and funds. Wealth managers also are getting more attention from regulators, which are fining financial firms that fail to be mindful of cybersecurity, including all the actions of their employees and third-party partners.

Colorado Raises the Bar in Buyside Cybersecurity

Posted by In the News No Comments

View in FinOps Report

Banks might not be the only financial institutions needing dedicated chief information security officers (CISOs) to oversee and enforce a cybersecurity program.

As FinOps Report goes to press, the  Colorado Division of Securities is set to finalize rules which, as of July 15, will make the state the first in the US to require fund managers and broker-dealers to follow a required list of procedures to mitigate the potential for a data breach. Even if the appointment of a CISO is not mandated, fund managers and broker-dealers would have to follow some of the same requirements recently imposed by New York State for banks. Therefore, they would need to pick someone to handle the same responsibilities.

How Wealth Managers Can Identify the Right Cloud Technology

Posted by In the News Think Advisor No Comments

View on Think Advisor

Although cloud computing is fast becoming the norm in IT, many people still have trouble defining “the cloud.” Even among IT experts, the term “cloud” can refer to a wide variety of different technologies that are only connected in a general sense.

This confusion makes it hard for wealth managers to know whether the cloud is secure enough to support their firms’ critical information and workflows. The answer to this question isn’t so much “yes” as “yes, it can be.” Not all clouds are created equal, especially when it comes to management and infrastructure. In order to experience the full benefits of the cloud, wealth managers need to understand which type of cloud solution is the right fit for their practice before they begin the transition process.

3 Tips for Enhancing Your Firm’s Cybersecurity Readiness

Posted by In the News No Comments

View on iris.xyz

After witnessing massive cybersecurity breaches at companies such as Adobe, Target, Home Depot, Sony, Experian and JPMorgan over the past four years, wealth management firms, like members of many other industries, have ramped up efforts to protect sensitive client information from hackers.

I work with financial advisors, family offices, broker-dealers and asset managers across the U.S. to create cybersecurity and IT solutions that meet their business and compliance needs, and based on what I have seen, many wealth managers do have solid cybersecurity measures in place.

The problem isn’t that they don’t have a cybersecurity plan—the problem is that not every staff member follows all the steps in the cybersecurity plan, or even knows to do so. This is important, because during SEC regulatory audits, the examiner doesn’t just want to see that you have all the necessary tools to protect sensitive financial information. They also want to make sure you and all your team members actually know how to use them, and regularly test them.

Below are three tips on best practices for enhancing your firm’s cybersecurity readiness to protect your clients’ sensitive financial data as the threat of cyber-attacks continues to increase.

1. Universal Adherence is Key
In this day and age, all it takes for your firm to experience a reputation-damaging and costly data breach is one employee losing a company mobile device that isn’t password-protected. To truly protect your clients and your firm, all cybersecurity procedures must be followed by every employee.

I can’t tell you how many times I’ve heard an advisory firm’s chief compliance officer or chief IT officer say, “Well, we tell people to do something, but so and so is a managing director and he doesn’t want to do it, and we can’t force him to do it.”

This excuse won’t pacify investors when their personal information is stolen by hackers. It won’t pacify SEC examiners during audits either.

Unfortunately, I’ve seen more than a few 40-person advisory firms where 38 employees utilize two-factor authentication to protect their devices. More often than not, the two holdouts who refuse to use two-factor authentication are senior advisors who wind up putting the entire company, and all its clients, in jeopardy, because they have access to everything in the system.

Cybersecurity processes need to be universally followed across your organization in order to be effective. Your cybersecurity protocols are rendered ineffective if even one person ignores them.