AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?

© Copyright 2014 AdvisorAssist LLC

Protecting Your RIA Clients from Cyber Threats

October 30, 2014

In this presentation, our discussion will focus on:

● 3 Common Myths About Cybersecurity for RIAs

● Regulatory Framework

● Protecting your RIA Clients from Cyber Threats

● Questions?


Topics

We are a management consulting firm focused on serving investment advisory firms● Founded in 2006● Employee-owned● National focus with primary office in Massachusetts

Our clients are supported by seasoned practitioners with leadership experience as:● Chief Compliance Officer● Chief Operating Officer● Chief Technology Officer● RIA/Hedge Fund Founder● Attorney

We deliver client solutions through an “integrated approach” that is driven by our expertise in compliance, marketing, strategy, and operations.


About AdvisorAssist


Registration Polling Question

A Year in Compliance - 2014


3 Common Myths about Cybersecurity for RIAs

● Cybersecurity risk among advisory firms is very real. ● More than 10% of AdvisorAssist’s RIA clients have some

kind of attempted cybersecurity breach in the past 12 months.

● “We’re seeing wire transfer fraud at epidemic levels,” Michelle Wraight, vice president and chief privacy officer at Pershing.

● Source: http://wealthmanagement.com/business-planning/considering-cybersecurity-insurance-heres-what-you-need-know


Myth #1: Cyber threats against RIA firms are rare

● Every firm has points of vulnerability.

● In fact, regulators have explicitly stated that small firms will not get a pass on properly addressing this risk.


Myth #2: Cybersecurity is a “big firm” problem

● Cybersecurity requires a multi-pronged approach.

● Effective cybersecurity goes way beyond information technology. Effective cybersecurity risk management is a cross-functional challenge that must also address operational processes, vendor management, regulatory requirements and human resources.

● And don’t forget, “Knowing your Customers”


Myth #3: Cybersecurity is an IT issue



Regulatory Framework

Regulators have made it clear that compliance and risk management must be an integrated part of the operations of your business. Cybersecurity is not just a technology concern.

● CCO Rule - Rule 206(4)-7 of the Advisers Act and comparable state regulations require RIAs to have a competent CCO that can implement and enforce a compliance program that is effectively designed to prevent, detect and correct violations of the securities laws.

● Annual Compliance Review - The CCO must, at least annually, assess the effectiveness of the compliance program (and make adjustments as necessary).

● Adherence to this rule requires continuous attention.

● Cybersecurity is a critical component of an effective compliance program.


It all comes back to the CCO!

OCIE’s Cybersecurity initiative was designed to assess the preparedness of RIAs and ensure that firms are taking necessary steps to mitigate cyber threats.

● Preparedness● Firm governance● Identification and assessment of risks● Protection of networks and information● Remote access● Funds transfer requests

Remember - Cybersecurity must be fully addressed as part an effective compliance program for a registered investment advisor.


Focus Areas

The regulators will assess your firm’s preparedness?

● Inventory the risks

● Inventory systems and access control

● Develop policies

● Train your staff

● Test your policies


Cybersecurity Preparedness

The regulators are looking for the tone at the top.

● Does senior management and compliance implement and enforce standards?

● Are there consequences for failure to follow policies?

● Do you take appropriate action if there is a breach?


Firm Governance

It is hard to manage risks that you have not identified.

A risk assessment should include:

● Identification of all known risks to accounts, systems and information

● A ranking of the inherent risk or probability of an issue

● An impact weighting (level of severity to client or business)

● Adjustments up or down for risk management controls in place (or absent)

● Frequency in which these risks will be evaluated


Identification and Assessment of Risks

Is all private information properly secured?

● Locked office space and filing systems

● Secure networks

● Complex passwords

● Encryption

● Two-factor authentication

● Limits on access control


Protection of Networks and Information

You need to be aware of your systems, who has access, and to what

● Make an inventory of the different technology systems and devices● Include the individuals and vendors who access them, their usernames, and

access levels● Reconcile against access logs to confirm no unauthorized access

Understand the security protocols related to remote access:

● Authentication should require strong passwords and possibly other steps, such as phone confirmation

● Passwords stored on the server should be encrypted and not plain text● Configure remote deletion / destruction capabilities for portable devices● Restrict access to view-only for users who don’t need to edit● Provide training or resources for users to minimize security risks● Enable detailed access logs to passively capture network information


Remote access

Making sure client funds are distributed to the client

● Verify the authenticity of client distribution requests received via email

● Establish your firm’s policy for addressing losses related to funds distributed and

unauthorized by the client

● Enforce standard practices to “Know your Customer” before distributing funds

Emails and phone numbers can be “spoofed” to your client’s information


Funds Transfer Requests

How you dispose of data is just as important as its disposal.

● Paper shredding

● Offsite storage

● Disposal of computers and drives

● Termination of vendor agreements


Data Destruction Policies

While not every advisory firm is technically subject to Regulation S-ID (the “Red Flags Rule”), we strongly encourage every firm to have an Identify Theft Protection Program (“ITPP”) as part of an overall Information Security Program.

● Identify relevant red flags for the covered accounts that the firm offers or maintains, and incorporate those red flags into its ITPP

● Detect red flags that have been incorporated into the firm’s ITPP● Respond appropriately to any red flags that are detected to prevent and mitigate

identity theft, and● Update the ITPP (and relevant red flags) periodically to reflect changes in risks to

customers and to the firm from identity theft-related sources.


Red Flags Rule



Protecting your RIA Clients from Cyber Threats

An effective Cybersecurity compliance program should include:

● Overall policy on the use of technology and storage of data

● Mobile device policy

● Policy as to the dissemination of client information

● Policy for verification of client identity for information or money requests

● Inventory of all technologies and the user access control

● All vendors and 3rd parties that have access to systems and/or client data

● Risk assessment matrix

● Actionable testing plan

● Monitor for plugins and other access points to your systems

● Obtain periodic security audits


Compliance Program

Knowing your customer is a great step in preventing fraud.

● Maintain current information in your CRM

● Understand your client profile and patterns to help spot suspicious activity

● Limit personal information shared in email

● Train your clients on the risks

● Consider security questions that are only known to the client (and never

email them)


Know Your Customer

We are very dependent on mobile devices these days. As more and more technology moves to the handheld devices, we must also remain vigilant here.

We often encounter firms that have the highest level of security as part of the internal network controls, but then leave mobile devices unsecured.


Mobile Devices

This is akin to having a security system on your home, but leaving the door wide open.

At some point, you will find someone or something you don’t want inside!

Mobile devices should have encryption, 2-factor authentication and/or policy management.

Like mobile devices, access to systems must be secure.

● If you are not on a secure cloud environment, you must have a secure VPN connection to your network.

● Leaving your office computer running with a remote desktop is not secure.


Remote Access

A simple policy…Verify any amounts you are not willing to cover yourself.

● If you are willing to cut a check for $5,000, only verify those that are above $5,000.

● When we ask this question to advisors, the answer is always $0.

When making verification calls...

● Know your client and their needs● Be suspicious of activity that does not fit pattern or profile● Verify personal information as well as intentions


Funds Transfer Requests

Which is more secure? Ask the IT professional that manages servers and you’ll hear internal servers. Ask the cloud professional...well you get it!

Both approaches have vulnerabilities. Advisors must be diligent to ensure their firm has implemented effective policies for:

● Encrypted connections and devices● Complex passwords● Password rotation policies● Two-factor authentication● Anti-virus software● Limiting access to necessary systems● Reporting suspected breaches


Internal Servers vs. Cloud

Many insurance carriers are now offering Cyber Insurance Policies. These policies typically cover accounts that are compromised by employees and sometimes non-employees.

There are many factors to consider:

● Does my existing Errors and Omissions policy have this coverage?

● What are the coverage limitations? If the breach is from an inadvertent internal action, are we covered?

● Often policies do not cover fraudulent wires.


Cyber Insurance



Resources

AdvisorAssist CCO Series: http://blog.advisorassist.com

SEC Risk Alert - OCIE Cybersecurity Initiative: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf

NASAA Cybersecurity Report:http://www.nasaa.org/wp-content/uploads/2014/09/Cybersecurity-Report.pdf

Department of Homeland Security - Cybersecurity:http://www.dhs.gov/topic/cybersecurity

National Cybersecurity Alliance:http://www.staysafeonline.org/ncsam


Resources



Questions?

Please chat over any questions.

If we do not get to all questions, we will publish additional responses on the AdvisorAssist Blog at:

http://blog.advisorassist.com


Questions?

Christopher E. WinnFounder and Managing PrincipalAdvisorAssist, [email protected] - office


Questions?

Business

AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?