Cybersecurity

As registered persons continue to modernize their businesses, cybersecurity issues are becoming more common. Many firms now store customer records and sensitive documents digitally and in the cloud. Because hackers and other bad actors routinely try to steal identities and confidential information, financial institutions need clear ways to protect clients.

The North American Securities Administrators Association (NASAA) created a cybersecurity checklist to help investment advisers and investment adviser representatives (IARs) ensure the integrity of their systems.

*NASAA provides cybersecurity guidance for advisory firms, but doesn’t have much to say about broker-dealers. This difference comes from how each is regulated. Broker-dealers are regulated by both the Securities and Exchange Commission (SEC) (federal) and the state administrator. Because federal law generally supersedes state law, the SEC primarily provides cybersecurity guidance to broker-dealers. Since this is a state-based exam, those federal rules are generally not covered on the Series 63, but rules applicable to state-based advisers are tested. The components of this chapter can be thought of as relevant to all registered persons.

We’ll use NASAA’s cybersecurity checklist to organize best practices. The document breaks cybersecurity into five categories:

• Identify
• Protect
• Detect
• Respond
• Recover

Identify

The first step is identifying the cybersecurity risks the firm faces. You can’t protect against a threat you haven’t recognized.

NASAA recommends that firms perform risk assessments and designate specific people to handle cybersecurity issues if they arise. The checklist highlights these best practices:

• Conduct frequent risk assessments (at least annually)
• Risk assessment should include:
  • Review of data collected
  • Where data is stored
  • Identify if data is encrypted
• Identify “insider” risks*
• Identify potential third-party risks**
• Determine if the firm enforces cybersecurity practices***
• Identify internal points of contact in event of a cybersecurity event
• Determine if the firm has proper hardware and software

*An “insider” risk refers to internal threats from disgruntled employees.

**Third parties are persons other than clients that may have access to confidential information. This could include outside vendors (e.g. a company that prints disbursement checks) and authorized parties (e.g. accountants, persons with power of attorney (POA)).

***Best practices involved with cybersecurity include frequent password changes, locking of devices, protocols for reporting stolen information, etc.

Protect

After identifying threats, the firm should protect its digital infrastructure. NASAA organizes this part of the checklist into several areas:

• Email
• Devices
• Cloud storage
• Firm websites
• Custodians & third-party vendors
• Encryption

Email
Firms should identify what information is transmitted via email and avoid sending sensitive information through unverified methods. If sensitive information must be sent, the firm should use an authentication system to verify the client. Employees should also understand whether emails are secured or unsecured.

Devices
Firms should know which devices (e.g. computers, phones) can access sensitive information and whether those devices are properly secured. Backups should be performed routinely and tested. Firms should also conduct routine audits of devices and establish protocols for the destruction of devices.

Use of cloud services
Registered persons should perform due diligence when hiring third-party vendors for cloud services. As part of that due diligence, confirm the vendor has safeguards in place and a documentation system for breaches.

Firm websites
Firms should identify who has access to the firm’s website. They should also determine whether client data is available on the website and, if so, ensure that information is secured.

Custodians & third party vendors
When an investment adviser uses an outside firm (e.g. broker-dealer or bank) to maintain custody of client accounts, due diligence should be performed on that firm’s cybersecurity system. This also applies to outside vendors that have access to sensitive client information (e.g. a company that prints client statements).

Encryption
Encryption is the process of encoding information so it can’t be read by hackers and other bad actors. Firms should use encryption when transmitting sensitive information over the internet.

Detect

Firms should have systems in place to detect cybersecurity issues when they occur. NASAA’s detection recommendations include:

• The use of antivirus software
• Antivirus software must be continually updated
• Employees are trained on how to use cybersecurity software
• Utilization of firewalls
• Procedures in place to identify and alert personnel when cybersecurity events occur

Respond

If a cybersecurity event occurs, the firm should have protocols to respond appropriately. NASAA recommends putting these procedures in place:

• Protocols for notification to the appropriate authorities
• Protocols for notification to the press
• Protocols for notification to impacted clients

Recover

After a cybersecurity event, the firm must work to recover and protect its digital infrastructure from further attacks. The following protocols should be implemented:

• Determination of whether cybersecurity insurance should be obtained
• Analysis of cybersecurity insurance if purchased
• Ensure cybersecurity is not voided due to employee misconduct
• Business continuity plan in place
• Data retrieval program in place
• Firm provides training on data recovery