News Labels WealthManagement.com
View on WealthManagement.com
In the wake of headline-grabbing hacks like Equifax, experts weigh in on how advisors can step-up their protection.
Despite headlines all month showing the scope of compromised personal information in attacks on Equifax, Yahoo and the SEC, many advisors still aren’t taking cybersecurity seriously.
An examination of more than 1,200 investment advisors by the North American Securities Administrators Association uncovered 698 deficiencies, including no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant and a lack of procedures regarding hardware and software updates or upgrades.
The type of cloud computing solution you choose must be the one that best aligns with your practice’s clients, resources, expertise, business model and goals
As more wealth management firms trade in their licensed software for cloud-based digital technology solutions, those that haven’t made the switch are understandably eager to find out more about the cloud and the benefits it can provide.
However, before beginning due diligence on providers of cloud-based solutions, they need to first understand which type of cloud is the right one for them. Even among IT experts, the term “cloud” can mean different things to different people. The cloud isn’t just “the cloud”—there are public, private and hybrid clouds, and they work in different ways. RIAs and broker-dealers have to identify which cloud is the right choice for their individual practice at the start of the process.
If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, then you are placing your practice and your clients at serious risk.
In our digital age, most wealth management firms have embraced cloud-based — a.k.a. “software as a service” (SaaS) — technology solutions for their practices. But as SaaS applications and platforms continue to overtake traditional licensed software as the tools of choice for the wealth management industry, financial advisors looking to make the transition to the cloud should proceed carefully.
Given the significant repercussions that wealth management firms can face after a data breach, such as loss of clients, regulatory fines and permanent damage to their reputations, they need to perform extensive due diligence on potential SaaS vendors to make sure client data will not be compromised. If your firm’s SaaS provider doesn’t follow state-of-the-art security measures, or if the companies it contracts with are vulnerable, then you are placing your practice and your clients at serious risk.
View on WealthManagement.com
Unlike guidelines from the SEC and FINRA, New York details specific actions and names a hard deadline for compliance.
The first state-mandated cybersecurity regulations in the nation went into effect Wednesday in New York State, requiring a wide range of financial services, banks and insurance firms to adopt measures aimed at protecting client data.
The rules, which the New York Department of Financial Services proposed in September and finalized Feb. 20, contain 23 sections detailing specific actions firms must have in place, including data encryption, appointing a chief information security officer, training employees in security, multi-factor authentication, and annual evaluations from a senior officer. The rules affect any companies regulated by New York DFS, as well as any third party vendor that has access to the data.
“New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew Cuomo said on finalizing the rules last week.
Firms have six months to comply with the rules and could face significant penalties and sanctions if they fail to do so.
Justin Kapahi, vice president of solutions and security at External IT, said nothing in New York’s mandate should surprise firms already following industry best practices, in addition to the guidelines already issued by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. However, the federal guidelines lack specifics. For example, the SEC requires firms to implement “reasonable safeguards to protect a client’s nonpublic information,” but doesn’t define what those reasonable safeguards are, according to The Wall Street Journal. Nor does the SEC stipulate what firms must do after a breach occurs, how it will enforce rules or penalize noncompliance.
“[New York is] taking what the SEC and FINRA have put out there and created a much more detailed and prescriptive version,” Kapahi said. “In here, you see a lot of detailed descriptions for what needs to be done.”
Read more on WealthManagement.com
View on WealthManagement.com
External IT, a technology firm that provides cloud-based cybersecurity and information technology for financial services, is launching a new kind of SAT for advisors, one without an essay portion. The Security Awareness Training program is designed to educate advisors and their employees on best practices for using corporate IT systems. The program includes phishing email tests, reporting, online training and results of the evaluation delivered to the firm’s compliance manager. External IT says the program addresses the most commonly overlooked source of data breaches: employee-related negligence. “Information is shared through non-secured programs, passwords are being carelessly generated — the list goes on,” said Justin Kapahi, External IT’s technical director. “We’ve developed SAT to provide advisors with clear security guidelines to ensure their information is protected from the inside-out, at every level.”