In the News

3 Tips for Enhancing Your Firm’s Cybersecurity Readiness

Posted by In the News No Comments

View on iris.xyz

After witnessing massive cybersecurity breaches at companies such as Adobe, Target, Home Depot, Sony, Experian and JPMorgan over the past four years, wealth management firms, like members of many other industries, have ramped up efforts to protect sensitive client information from hackers.

I work with financial advisors, family offices, broker-dealers and asset managers across the U.S. to create cybersecurity and IT solutions that meet their business and compliance needs, and based on what I have seen, many wealth managers do have solid cybersecurity measures in place.

The problem isn’t that they don’t have a cybersecurity plan—the problem is that not every staff member follows all the steps in the cybersecurity plan, or even knows to do so. This is important, because during SEC regulatory audits, the examiner doesn’t just want to see that you have all the necessary tools to protect sensitive financial information. They also want to make sure you and all your team members actually know how to use them, and regularly test them.

Below are three tips on best practices for enhancing your firm’s cybersecurity readiness to protect your clients’ sensitive financial data as the threat of cyber-attacks continues to increase.

1. Universal Adherence is Key
In this day and age, all it takes for your firm to experience a reputation-damaging and costly data breach is one employee losing a company mobile device that isn’t password-protected. To truly protect your clients and your firm, all cybersecurity procedures must be followed by every employee.

I can’t tell you how many times I’ve heard an advisory firm’s chief compliance officer or chief IT officer say, “Well, we tell people to do something, but so and so is a managing director and he doesn’t want to do it, and we can’t force him to do it.”

This excuse won’t pacify investors when their personal information is stolen by hackers. It won’t pacify SEC examiners during audits either.

Unfortunately, I’ve seen more than a few 40-person advisory firms where 38 employees utilize two-factor authentication to protect their devices. More often than not, the two holdouts who refuse to use two-factor authentication are senior advisors who wind up putting the entire company, and all its clients, in jeopardy, because they have access to everything in the system.

Cybersecurity processes need to be universally followed across your organization in order to be effective. Your cybersecurity protocols are rendered ineffective if even one person ignores them.

Hacked? Proposed Bill Would Allow Firms to Hack Back

Posted by In the News Think Advisor No Comments

View on Think Advisor

House proposes bill amendment that would allow retaliatory hacking

Rep. Tom Graves, R-Ga., introduced a bill as a discussion draft that would allow a victim of a cyberattack to access the attacker’s computer in order to gather information about the attack to share with law enforcement or to stop the hacker from continuing to access their network.

The Active Cyber Defense Certainty Act would not allow cyberattack victims to destroy any information on their attacker’s network or to otherwise cause a threat to public safety. The proposed amendment has not been formally introduced yet.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” Graves said in a statement on Friday announcing the proposal. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

Conversation is all that Justin Kapahi, vice president of solutions and security for External IT, expects to come from the proposed bill. He told ThinkAdvisor on Wednesday that the proposal was likely “meant to provoke discussion” rather than to actually become law.

“It’s good to create a discussion around ‘why do we have to play defense? Why can’t we play offense?’” he said. Ultimately, though, he said advisors could take the proposal as “entertainment,” and to continue focusing their cybersecurity efforts on what regulators are looking for now.

He pointed out that most breaches are from users inadvertently giving their passwords to hackers. He recommended financial firms strengthen their cybersecurity programs with training and two-factor authentication.

Read more at Think Advisor

 

First State-Mandated Cybersecurity Law Goes Into Effect In New York

Posted by In the News No Comments

View on WealthManagement.com

Unlike guidelines from the SEC and FINRA, New York details specific actions and names a hard deadline for compliance. 

The first state-mandated cybersecurity regulations in the nation went into effect Wednesday in New York State, requiring a wide range of financial services, banks and insurance firms to adopt measures aimed at protecting client data.

The rules, which the New York Department of Financial Services proposed in September and finalized Feb. 20, contain 23 sections detailing specific actions firms must have in place, including data encryption, appointing a chief information security officer, training employees in security, multi-factor authentication, and annual evaluations from a senior officer. The rules affect any companies regulated by New York DFS, as well as any third party vendor that has access to the data.

“New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said on finalizing the rules last week.

Firms have six months to comply with the rules and could face significant penalties and sanctions if they fail to do so.

Justin Kapahi, vice president of solutions and security at External IT, said nothing in New York’s mandate should surprise firms already following industry best practices, in addition to the guidelines already issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. However, the federal guidelines lack specifics. For example, the SEC requires firms to implement “reasonable safeguards to protect a client’s nonpublic information,” but doesn’t define what those reasonable safeguards are, according to The Wall Street Journal. Nor does the SEC stipulate what firms must do after a breach occurs, how it will enforce rules or penalize noncompliance.

“[New York is] taking what the SEC and FINRA have put out there and created a much more detailed and prescriptive version,” Kapahi said. “In here, you see a lot of detailed descriptions for what needs to be done.”

Read more on WealthManagement.com

Cybersecurity: How to prevent ‘insider accidents’

Posted by In the News No Comments

As cyberattacks have become a serious threat to the wealth management industry, many financial advisory firms have developed strong policies to prevent client data from being hacked.

However, some firms haven’t exerted the same amount of effort into training their employees or vendors to make sure these policies are correctly implemented. As a result, money spent goes down the drain, said H2L Solutions CEO Jonathan Hard during an exclusive Financial Planning webinar on cybersecurity.

According to an OCIE survey of broker-dealers and advisers, 88% of BDs and 74% of advisers have experienced cyber-related incidents, the majority of which are related to malware and fraudulent emails. Also, 25% of the BDs who suffered loss blame it on employees not following policies, which led to security compromises.

It’s important to note that not all cybersecurity breaches are external. An “insider accident” could compromise a firm’s security, Hard said. “If your employees are not properly trained — no matter what technical solution you have in place to eliminate that risk, no matter how much money you spend — you’ll still be compromised,” Hard said.

In fact, over 90% of hacks come from an unintentional inside job, said Justin Kapahi, vice preesident of solutions and security at External IT, a technology services provider for advisory firms. “All employees have the keys to the security you built up. If they hand the keys to random strangers on the street, that’s not secure,” he said.

Read more at Financial Planning

 

Deadline Approaching for New York Cybersecurity Regulations

Posted by In the News Think Advisor No Comments

View on Think Advisor

Rules ‘go beyond’ what SEC, FINRA have required of financial firms

Gov. Andrew Cuomo of New York announced Thursday final regulations that require financial services institutions to establish and maintain strict cybersecurity standards and to report them to the state’s Department of Financial Services.

DFS first proposed the regulation in September and was met with strong opposition from industry groups that said it was too strict. The mandate was revised in December to push back the compliance date. The regulation will take effect on March 1, and financial firms in New York will have until Sept. 1 to comply.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks,” Cuomo said in a statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cybercrimes.”

Indeed, the mandate prescribed by the New York DFS “goes beyond even what the SEC and FINRA have put forth,” according to John Cunningham, chief information officer and chief information security officer for Docupace.

Financial firms are being asked to “open the kimono” on their cybersecurity practices and report annually to the state superintendent on gaps in their firms and what they’re doing to remediate them, he said. Those reports must be retained for five years, Cunningham said in an interview with ThinkAdvisor. Cybersecurity programs must also include policies for regularly disposing of nonpublic information it no longer needs.

Firms must report all cybersecurity events, even unsuccessful ones, within 72 hours of discovery, he added.

Justin Kapahi, vice president of solutions and security at External IT, called the mandate “one of the more prescriptive action summaries I’ve seen in a while.”

“Right off the bat, you see that much more prescriptive about the kind of IT policies you have to have, exactly what should make up those IT policies, and how you’re supposed to use those policies to measure your risk. That’s something that the SEC infers, but [the New York DFS] actually prescribes,” Kapahi told ThinkAdvisor.

Read more at Think Advisor

 

The Future of Wealth Management Will Hinge on Technology

Posted by In the News No Comments

As society continues to embrace digital trends, it seems that the future of wealth management will hinge on technology. Beyond attracting Millennials, either as investors or fellow advisors, keeping current with tech trends will allow you to stay ahead of the market and protect your firm.

As stated by Mitchell Caplan, “Advisors who manage more assets and generate more revenue spend substantially more on technology and adopt technology into their practice at twice the rate of the average advisor.”

How can you reach this return? The following 6 areas of emphasis provide ample opportunities for you to analyze and implement technology for your practice in an effort to keep current with the ever evolving landscape of digital utilization for financial advisors.

Read  more at iris.xyz

Your Biggest Cybersecurity Threat? Your Employees

Posted by In the News Think Advisor No Comments

View on Think Advisor

Corporate security breaches are becoming ever more common each year, and firms ranging from the highest echelons of the Fortune 500 roster to small RIAs have proven vulnerable.

Frequent headlines of hacks and data leakages are increasingly hard to ignore. Many financial advisors have seen those stories and sought a better understanding of cybersecurity. It’s an encouraging sign that wealth management firms of all sizes are making the concept central to their value proposition.

By now you’ve probably heard about the most obvious cybersecurity precautions – cloud-based platforms that facilitate firewalls, data encryption and multi-factor authentication. But many firms have still not come to grips with one of the most prevalent sources of data breaches: employees.

Hackers routinely target workers who are dangerously oblivious to proper cybersecurity practices. Managers who care about protecting their clients, their firms and themselves must prioritize educating employees of all levels on how breaches occur.

Employee-Related Breaches

Whether rank-and-file or C-suite, employees can fall prey to malicious agents in numerous ways. Typical scenarios involve social engineering, insecure remote access and unauthorized access.

  • Social engineering involves criminals who use emails, text messages, phone calls and websites to impersonate legitimate sources. They then dupe staffers into revealing confidential information or clicking links that hijack the firm’s operating system.
  • Insecure remote access is rampant. Hackers can easily infiltrate systems that use public wifi such as that available at libraries, parks or coffee shops. Similarly, employees who share laptops or smartphones with anyone else puts private data at risk.
  • Unauthorized access is when staffers use applications to view files or change data they should not be able to touch. This usually requires another employee, such as a system administrator, to be lax with system access controls. Data theft or destruction can follow.

Employees have been responsible for data breaches in both the private and public sectors.

In June, the Securities and Exchange Commission fined Morgan Stanley $1 million after a former advisor accessed confidential data on thousands of clients belonging to other advisors, and transferred them to his personal server, only for him to become the victim of a hacker who then posted some of the data online.

And in July, Republican members of the House Committee on Science, Space and Technology released a report criticizing the Federal Deposit Insurance Corporation for failing to prevent employees of the agency from storing private data about banks and individuals on unauthorized portable drives – on several occasions.

Preparing Employees

Any RIA without a rigorous cybersecurity employee-training program should fix that oversight immediately. Executives should announce the program in writing, to foster clarity. The message should highlight steps everyone can take now to improve cybersecurity:

  • Passwords should be long enough and intricate enough to incorporate letters, numbers, symbols, upper case and lower case characters. Employees should vary passwords across applications, and avoid using sentimental clues like birthdays or family names that hackers might guess.
  • Staff should log onto the firm’s servers only from approved locations such as the office or home, and only from devices either provided by the firm or that belong solely to the staffer.
  • If unverified sources seek firm data, electronically or otherwise, workers should alert their supervisor before doing anything else.

Effective employee-training programs are ongoing endeavors characterized by structure and buy-in at all levels. The best way to prevent data breaches is to implement written policies and procedures addressing how to handle digital information, software usage and user access. Firms should implement strict controls on which employees can access specific applications, including whether an individual employee can only read certain files or also edit them. In order to do so, operating systems must be able to automatically track all user activity and produce regular audit logs that managers review.

Proper training includes scenario analysis. What if a hacker obtains a client’s social security number? What if an advisor loses an office-supplied smartphone or laptop? What if the firm’s data encryption, firewall and multi-factor authentication tools are outdated? What if a staffer is suspicious of a colleague’s activities on the operating system?

All employees must know how to respond in each scenario, based on their specific role at the firm and their place in the chain of command. That’s why training guidelines should be written, tailored for relevant positions, and stored in easily accessible places. Furthermore, qualified cybersecurity professionals should be available to answer staff questions or help conduct training.

Delay No Longer

Yes, it is a major commitment to upgrade your firm’s cybersecurity precautions to account for employee-related vulnerabilities. RIAs must research the most appropriate software to use and the technology partners best suited to provide educational resources. As firms increasingly rely on technology, the potential for data breaches will also increase. Therefore, the wisest course of action is to prepare now for tomorrow’s security risks.

What CCOs Need to Know About Data Security, Technology and Regulation

Posted by In the News No Comments

View full article in IAA Newsletter

The SEC’s concern about the security of client data at investment advisory and other financial services firms continues to grow, and for good reason. Studies show that financial firms are 300 times more likely to be attacked than any other type of business. At the same time, an SEC sweep exam of investment advisory firms and broker-dealers has found that while many firms have cybersecurity policies in place, those policies often do not match the sorts of risks they face.

SEC Chair Mary Jo White left no doubt about the severity of the problem when, in May, she called cybersecurity the single biggest risk facing the financial system. After a first round of sweep exams, the SEC’s Division of Investment Management issued guidance on cybersecurity policies and procedures in April 2015. In September 2015, the Office of Compliance Inspections and Examinations (OCIE) issued a risk alert announcing a second cybersecurity sweep exam initiative, which is continuing. In November, OCIE issued another risk alert, for investment advisers that use outsourced CCOs. In January of this year, OCIE identified cybersecurity as one of its main examination focus areas in its annual priorities letter.

View full article in IAA Newsletter

External IT Brings Cybersecurity Training

Posted by In the News No Comments

View on WealthManagement.com

External IT, a technology firm that provides cloud-based cybersecurity and information technology for financial services, is launching a new kind of SAT for advisors, one without an essay portion. The Security Awareness Training program is designed to educate advisors and their employees on best practices for using corporate IT systems. The program includes phishing email tests, reporting, online training and results of the evaluation delivered to the firm’s compliance manager. External IT says the program addresses the most commonly overlooked source of data breaches: employee-related negligence. “Information is shared through non-secured programs, passwords are being carelessly generated — the list goes on,” said Justin Kapahi, External IT’s technical director. “We’ve developed SAT to provide advisors with clear security guidelines to ensure their information is protected from the inside-out, at every level.”

External IT Rolls Out Cybersecurity Training Program

Posted by In the News No Comments

View on FamilyWealthReport

External IT has launched a security awareness training offering to educate financial advisors and their employees on best practices when using corporate IT systems.

The firm has also launched a policy and procedure development and lifecycle management offering to educate firms on the latest SEC and FINRA mandates. This will place advisors in training programs to ensure they are operating under the industry’s rapidly developing compliance guidelines, and also includes a quarterly cybersecurity update and a yearly cybersecurity report.

“We’ve come to a point in the financial services space where cybersecurity is not only paid attention to, but has become a differentiator among firms,” said Justin Kapahi, technical director at External IT.

“But for all of the attention cybersecurity is getting, there’s one important point that is being missed – the majority of security threats are actually originating from inside the walls of these firms, Kapahi said. “Information is shared through non-secured programs; passwords are being carelessly generated – the list goes on. We’ve developed SAT to provide advisors with clear security guidelines to ensure their information is protected from the inside-out, at every level.”

In a similar move last week, Schwab Advisor Services unveiled a Cybersecurity Resource Center for advisors (see here).