a complimentary whitepaper for certified public accountants

www.oakstreetfunding.com

Using cybersecurity to protect yourself

and your clients

Staying ahead of online threatsIt had been a long day for Jerry Russell*, more tiring than normal. A market correction two days earlier had panicked many of the RIA’s clients -- particularly those who were fairly close to retirement -- and he spent hours on the phone reminding them about the long-term performance of equities and the strategic allocations he’d built into their portfolios.

Jerry was in the office after 7:00PM, checking his emails one more time before heading home for a delayed dinner. There was one with an attached file from an old college friend who was known for sharing great jokes. Jerry’s fatigue overcame his normal wariness, and he clicked on the file, which turned out to be blank. He shrugged, deleted the email, and shut down the computer.

He didn’t realize the “blank” file actually contained malware. The next day, the malware sought out his contact database and began to generate similar emails to his clients. It also transmitted the contact information to a group of hackers in Eastern Europe, who sold it to other hackers. Jerry had no idea his clients were receiving fake emails claiming to be from him, or that 17 percent of those clients actually clicked on the attached files, giving the hackers access to even more victims. Fortunately, the hack was comparatively harmless -- no financial files were breached and the firewall at his clearing firm easily blocked an attempted penetration. But Jerry’s innocent decision to click on the file exposed his clients’ private information to a global network of criminals.

Perhaps the biggest risk to RIA firmsIt’s hard to imagine a bigger risk to the average RIA firm than having confidential client information stolen or otherwise

exploited. As technology plays a greater role in both the operation of firms and communications with clients and others, the risk only increases. Add in the fact that regulators have been stepping up their expectations for security policies and procedures, and it’s clear that cybersecurity is a top priority. 1

Its importance is underscored by regular surveys of RIA firm owners. In a recent study by the Investment Advisers Association and ACA Compliance Group, cybersecurity emerged as the biggest concern for the fifth year in a row. More than four out of five advisers surveyed said they were worried about the issue. Advertising and custody matters, the next biggest areas of concern, were cited by fewer than a third of respondents. 2

Internet security provider Symantec® identified personal financial information as the second most common type of data that was stolen during 2016, behind other personal information. And although smaller RIA firms may believe their size and the nature of their client relationships affords them an inherent level of protection, the facts say something different. Given that smaller RIA firms typically have tinier budgets for technology and only informal controls, they present an ideal target for data thieves. Symantec found that 43 percent of all phishing attacks that took place in 2015 targeted smaller businesses. 3

An industry-wide issueConcerns about cybersecurity and high-profile incidents such as the worldwide WannaCry ransomware case have led to stepped-up attention from federal regulators. As part of its efforts to assess the risk involved, the National Examination Program staff of the Security & Exchange Commission’s (SEC) Office of Compliance

Financing for RIA professionals

866-625-3863 • www.oakstreetfunding.com | 2

Inspections and Examinations (OCIE) studied a group of RIA firms. It discovered that more than a quarter of investment management firms (which included RIAs) failed to properly assess critical systems to find threats and vulnerabilities, or to consider what impact those could have upon the business. More than half failed to conduct penetration tests or vulnerability scans. On a more positive note, just 4 percent of the firms failed to keep up with software upgrades such as security patches. 4

While nearly all of the firms OCIE studied had established policies and procedures to address cybersecurity and related continuity planning, fewer than two-thirds had plans for data breaches and for notifying clients about such incidents. Often, the firms’ cybersecurity policies offered little more than general guidance and safeguards for employees, and many of those policies weren’t well-enforced. Policies that called for regular reviews or internal audits weren’t checked as often as specified, if at all. Some included instructions that appeared to contradict other instructions. And firms that mandated cybersecurity awareness training may not have documented that employees actually completed training or the steps to be taken when they failed to do so. 5

On a brighter note, OCIE reported that overall results were better than what had been observed in previous reviews – but tempered that comment by noting that issues were found in the vast majority of firms it examined. 6

The biggest source of problemsWhile it may be human nature to place blame on new technology or complex regulations, it’s clear that the single biggest threat to the cybersecurity of RIA firms isn’t hardware, software, or the cloud. It’s employees. No matter what measures have been put in place or what specific technologies are being used to conduct business, accidental or negligent actions taken by employees creates the greatest risk for failure and breach. 7

An RIA firm can implement a robust cybersecurity program, but its efficacy comes down to the actions of the people who have access to the firm’s technology and its sensitive information. All devices, whether they’re standalone, locally networked, or connected to cloud-based systems must be secured, both physically and electronically. If sensitive client data is stored on a computer and a thief walks off with it, every byte is at risk unless protections such as tough passwords have been incorporated. If an employee jots down her password on a sticky note and places it by her computer, it might be easy for a member of the nightly cleaning crew to use the information to compromise the system and its data. Ultimately, given the potential risk to RIA firms that rests in the actions of employees, the need for comprehensive, frequent, and up-to-date staff training is nothing short of critical. 8

What are cybersecurity best practices?There is no one-approach-fits-all method for providing adequate cybersecurity. Every RIA firm is unique, and as such, each requires policies and practices designed around the nature of its operations, its clients, and its business partners. However, it’s clear that effective cybersecurity begins not with the right technology or an ideal policy, but with strong leadership. The firm’s top management must make cybersecurity a priority and ensure that employees understand that it must be taken seriously.

Whitepaper: Using cybersecurity to protect yourself and your clients

“ No matter what measures have been put in place or what specific technologies are being used to conduct business, accidental or negligent actions taken by employees creates the greatest risk for failure and breach.”

866-625-3863 • www.oakstreetfunding.com | 3

An effective cybersecurity program requires both technical control measures and ongoing risk assessments to better understand and address vulnerabilities -- both internally and in conjunction with key vendor relationships. Firms should overcome their resistance to sharing intelligence with other firms and regulators, which would strengthen the industry as a whole. Finally, it’s important to develop, test, and improve plans for how a firm will respond to specific types of cybersecurity incidents. 9

There are many business practices that fall under the cybersecurity umbrella, and most RIA firms probably employ most of them. But just as a car with airbags, antilock brakes, and stability control is inherently safer than one with just two of the three features, each practice that’s added reduces the overall risk. Practices your firm should consider if you don’t already have them include:

• developing and implementing policies and procedures for preventing and identifying cyberattacks, with mandatory ongoing training for all staff

• installing antivirus software on all devices and a firewall on networks, and keeping them updated

• teaching staff to identify suspicious emails and requiring them to report any they receive

• ensuring staff members know they shouldn’t download files or click on email links from senders they don’t recognize or who appear to be suspicious

• prevent against phishing by checking to verify that emails appearing from vendors are legitimate

• using two-factor password authentication when possible

• never sending sensitive personal information through an unencrypted email

• verbally confirming all wire requests coming from clients and refusing to accept wire instructions over email (establishing a secret word or phrase for the client to use can help), and

• using a secure virtual private network (VPN) when traveling or outside the office rather than using public wi-fi. 10

The SEC also suggests that firms maintain inventories of data, information, and vendors, with assessments of the risks, vulnerabilities, data, business consequences, and information related to each. They should detail instructions and schedules for penetration tests, security monitoring and system auditing, granting and modifying access rights, and how to report sensitive information this is lost, stolen, or unintentionally disclosed. In regard to employees, firms should establish and enforce acceptable use policies and access rules, including immediate cessation of access for terminated employees or those who leave voluntarily. 11

Whitepaper: Using cybersecurity to protect yourself and your clients

866-625-3863 • www.oakstreetfunding.com | 4

In addition, there are steps an RIA firm’s employees can take on an individual level that will lessen the possibility that their information – and by extension, the firm’s – may be compromised. For example:

• choosing different passwords for every site or application

• using obscure security questions or giving false answers to security questions

• keeping social media profiles as private as possible so hackers cannot find personal information they can use to thwart security questions, and

• only approving friend or connection requests from people they truly know and trust. 12

Getting started with cybersecurityIf what you’ve read here has convinced you that you need to move forward with a more robust cybersecurity effort, you may not be sure of how to begin. One of the best ways is review the cybersecurity risk alerts developed by the SEC and create a written cybersecurity policy based upon what appears in those alerts. You can also talk to your IT staff or vendors to see what kind of technical controls and safeguards they would recommend. In addition, it may be advisable to obtain specific insurance coverage to protect you from damages resulting from a data breach. 13

The focus of your cybersecurity strategy should address three areas. First, you want to prevent threats through efforts such as controlling access to data, ensuring protection against viruses and malware, and creating perimeter defenses such as firewalls. Next, you want to ensure that you can detect any attempts to breach your system or access data, from phishing to efforts to bypass your firewall. Finally, you need to spell out how you’d respond to a cybersecurity incident. Your cybersecurity policy should explain how you’ll accomplish each of those areas in ways that are easy for your staff to understand. It should also spell out how you’ll conduct regular testing of your strategies to verify compliance. In addition, you may want to include an educational component that covers both staff training and familiarizing your clients with the types of threats they may encounter. 14

A cybersecurity strategy need not be complex. You can design yours around some basic concepts:

• Password management, such as password vaults and passcards that store authentication credentials and simplify the use of complex passwords that are difficult to hack.

• Using two-factor authentication whenever possible. That involves receiving access codes on a second device as a way to verify that an authorized user is logging in.

• Verifying the safety and security of any cloud data storage your firm uses.

• Monitoring and verifying staff compliance with your policies and data safety practices. 15

Fortunately, achieving this level of security does not have to be costly, especially if an RIA firm takes the perspective that cybersecurity doubles as a structure for better organizing the firm’s use of technology, whether that’s sharing files, performing backups, or sending and receiving emails. One estimate suggests that the average RIA firm can provide a sufficient level of cybersecurity for just $200 to $350 per staff member per month. 16

Whitepaper: Using cybersecurity to protect yourself and your clients

“It’s important to develop, test, and improve plans for how a firm will respond to specific types of cybersecurity incidents. ”

866-625-3863 • www.oakstreetfunding.com | 5

Financing your cybersecurity effortsMuch of what we’ve outlined in this white paper involves processes and procedures, but it’s quite possible that beefing up your cybersecurity efforts will lead you to consider making substantial upgrades to your current technology and physical aspects of your office. If you need additional capital to accomplish that, or if you’re not interested in tying up your working capital, you may want to consider outside financing.

Typically, owners of RIA firms think their best approach is to turn to local banks and loan officers they’ve come to know through the chamber of commerce or other networking activities. However, most traditional banks aren’t comfortable with the structure of commission-based businesses like RIA firms. Most are geared to making loans to businesses that have tangible assets such as inventory, equipment, and real estate.

That’s why a growing number of RIA firms turns to specialty lenders that are accustomed to working with the industry. Such lenders understand how a firm like yours operates and are familiar with the nature of your income streams, so they can approach the underwriting with realistic expectations and an appreciation for inherent risks. As private companies, they are not restricted by the federal limits associated with other types of loans.

Working with Oak Street Funding®

With a loan from Oak Street Funding, you can borrow against the future cash flows from your clients. It’s a solution other CPA practice owners have used to finance strategies for partner buy-ins and buyouts.

Oak Street can customize a loan for your needs and situation, from $100,000 to $30 million, with a term of one to ten years. The goal is to help you finance growth with minimal out-of-pocket cost by leveraging the power of your practice’s cash flow. Learn more or request a free quote at www.oakstreetfunding.com or 1-866-OAK FUND.

The strategic opportunities available to CPA practices are limitless. Access to affordable capital is the key to taking advantage of those opportunities, and Oak Street Funding has money to lend.

Whitepaper: Using cybersecurity to protect yourself and your clients

866-625-3863 • www.oakstreetfunding.com | 6

About Oak Street FundingThe materials in this paper are for informational purposes only. They are not offered as and do not constitute an offer for a loan, professional or legal advice or legal opinion and should not be used as a substitute for obtaining professional or legal advice. The use of this paper, including sending an email, voice mail or any other communication to Oak Street, does not create a relationship of any kind between you and Oak Street.

Loans and lines of credit subject to approval. Rate may vary at any time. CA residents: Loans made pursuant to a California Department of Business Oversight Finance Lenders License (#6039829). Potential borrowers are responsible for their own due diligence on acquisitions.

1 “Do’s and Don’ts of RIA Cybersecurity Best Practices,” RIAinabox.com, Aug 22, 2017

2 “Cybersecurity remains top RIA compliance concern,” Investment News, July 25, 2018

3 Stillman, Wes, “Cybersecurity For Small RIAs,” Financial Advisor Magazine, September 7, 2017

4 “Cybersecurity: Ransomware Alert” Risk Alert, Securities & Exchange Commission, May 17, 2017

5 “Observations from Cybersecurity Examinations” Risk Alert, Securities & Exchange Commission, August 7, 2017

6 “SEC Risk Alert Outlines RIA Cybersecurity Best Practices,” RIAinabox.com, Aug 14, 2017

7 “The Greatest RIA Cybersecurity Threat is Your Firm’s Staff: What To Do,” RIAinabox.com, May 18, 2015

8 ibid.

9 “Report on Cybersecurity Practices,” Financial Industry Regulatory Authority, February 2015

10 RIAinabox.com, Aug 22, 2017

11 Securities & Exchange Commission, August 7, 2017

12 RIAinabox.com, May 18, 2015

13 Giachetti, Thomas, “SEC Clarifies RIAs’ Cybersecurity Obligations,” ThinkAdvisor.com, November 2, 2015

14 “Cybersecurity Guidance,” Securities & Exchange Commission, April 2015

15 Stillman, op. cit.

16 ibid.

Whitepaper: Using cybersecurity to protect yourself and your clients

“You may want to include an educational component that covers both staff training and familiarizing your clients with the types of threats they may encounter. ”