As financial advisors rely more and more on external networks to compile and manage information, their practices are increasingly exposed to cyber threats. These risks can result in the loss of data and business disruption, making the implementation of cybersecurity measures imperative.
“Cybersecurity is a pervasive and growing risk in our industry,” says Vipool Desai, president of Ara Compliance Support in Toronto. “However, with careful planning it can be managed effectively.”
As registered firms make greater use of data storage and software technology to enhance their operations, marketing and service delivery, they become increasingly exposed to cybersecurity risks.
Financial advisors have an obligation to implement measures to deal with cyber threats. The Canadian Securities Administrators note in their most recent staff notice on the subject (dated September 2013), that certain types of cyber threats have increased in frequency and sophistication. The regulatory body states: “Registrants and regulated entities should be aware of the challenges of cybercrime and should take the appropriate protective and security hygiene measures necessary to safeguard themselves and their clients.”
These measures include educating staff on the importance of ensuring the security of their client information and their computers; following guidance and best practices from industry associations and recognized information security organizations; conducting regular third-party vulnerability and security tests and assessments; and reviewing their cybersecurity risk control measures on a regular basis.
However, Desai says, smaller businesses (such as financial advisory practices) tend to rely on third-party vendors for much of their technology needs. They typically engage an IT consultant to handle technology matters. “They often do not have the governance or risk-management structures assumed by much of the published guidance on cybersecurity,” he says.
Here are some practical steps you can take to establish a cybersecurity platform for your practice:
> Compile a data inventory
Take inventory of data stored and where it is kept. For example, note any third-party hosting services for web sites, email communications, online client-relationship management and portfolio-management systems, and cloud-based or physical servers.
> Identify points of entry
Determine appropriate internal and external controls for all points of entry of data. External controls include technology that is applied to prevent external parties from accessing data, such as firewalls, data encryption and network segregation. The objective is to keep information in separate networks so that a breach of one network does not compromise information held in another network.
“Where data is kept by an external vendor,” Desai says, “you should determine the adequacy of procedures the vendor has to prevent unauthorized access.”
See: Employees are the main source of cybersecurity breaches
See: Messaging apps fraught with risk
> Perform regular audits
Desai suggests that you audit or verify internal and external controls frequently and prepare an annual report on their effectiveness. Address the risk that staff may inadvertently give unauthorized persons access to sensitive data.
To prevent breaches, implement measures such as strong passwords, which are changed regularly; requiring specified pre-approvals before allowing the release of sensitive information to external parties; and prohibiting staff from accessing networks through public wifi.
> Conduct “fire drills”
Desai recommends conducting periodic tests or “fire drills,” reviewing what needs to be done in the event of a data breach. Document relevant procedures, which might include steps to limit the breach, identifying information that has been compromised, and notifying clients and your insurance provider.
Photo copyright: rabbit75123/123RF