Cybersecurity

As registered persons continue to modernize their businesses, cybersecurity issues are becoming more prevalent. Nowadays, firms tend to maintain customer records and sensitive documents digitally and in the cloud. Knowing that hackers and other bad actors routinely attempt to steal identities and sensitive information, how do financial institutions protect their clients? The North American Securities Administrators Association (NASAA) created a cybersecurity checklist to help investment advisers and investment adviser representatives (IARs) * ensure the integrity of their systems.

*NASAA provides cybersecurity guidance for advisory firms, but doesn’t have much to say about broker-dealers. This is because of how each person is regulated. Broker-dealers are regulated by both the Securities and Exchange Commission (SEC) (federal) and the state administrator. The SEC primarily provides guidance on cybersecurity to broker-dealers given federal law supersedes state law. Because this is a state-based exam, those rules are generally not covered on the Series 63, but rules applicable to state-based advisers are tested. The components of this chapter can be thought of as relevant to all registered persons.

We’ll use NASAA’s cybersecurity checklist to guide us through best practices. The document breaks down cybersecurity into five categories:

• Identify
• Protect
• Detect
• Respond
• Recover

Identify

It’s important for registered persons to identify the cybersecurity risks they face. After all, how do you protect yourself against something if you don’t know it exists? NASAA recommends firms institute risk assessments and identify certain persons within the firm to handle cybersecurity issues if they arise. The checklist specifically calls out the following as best practices:

• Conduct frequent risk assessments (at least annually)
• Risk assessment should include:
  • Review of data collected
  • Where data is stored
  • Identify if data is encrypted
• Identify “insider” risks*
• Identify potential third-party risks**
• Determine if the firm enforces cybersecurity practices***
• Identify internal points of contact in event of a cybersecurity event
• Determine if the firm has proper hardware and software

*An “insider” risk refers to internal threats from disgruntled employees.

**Third parties are persons other than clients that may have access to confidential information. This could include outside vendors (e.g. a company that prints disbursement checks) and authorized parties (e.g. accountants, persons with power of attorney (POA)).

***Best practices involved with cybersecurity include frequent password changes, locking of devices, protocols for reporting stolen information, etc.

Protect

Once cybersecurity threats have been assessed and identified, the firm should move to protect its digital infrastructure. NASAA breaks down this part of its checklist into several categories:

• Email
• Devices
• Cloud storage
• Firm websites
• Custodians & third-party vendors
• Encryption

Email
Firms should move to identify the information transmitted via email, in hopes of avoiding the distribution of sensitive information through unverified means. If sending sensitive information, the firm should have an authentication system in place to verify its client. Additionally, firm employees should be aware of the status of emails (whether they’re secured or not).

Devices
Firms should be aware of what devices (e.g. computers, phones) have access to sensitive information, and whether those devices are adequately secured. Routine backups should occur and be tested. Routine audits of the existing devices should be facilitated. Protocols relating to the destruction of devices should be created as well.

Use of cloud services
Registered persons should perform due diligence when hiring third-party vendors for cloud services. Confirming the vendor has safeguards in place and a documentation system for breaches must be confirmed as a part of the due diligence process.

Firm websites
Identification of the persons with access to a firm’s website is important. Additionally, firms should identify whether client data is available on the website, and if so, ensure that information is secured.

Custodians & third party vendors
When an investment adviser uses an outside firm (e.g. broker-dealer or bank) to maintain custody of their client accounts, due diligence should be performed on their cybersecurity system. This also applies to any outside vendors that have access to sensitive client information (e.g. a company that prints client statements).

Encryption
Encryption is the process of encoding information for the purpose of hiding it from hackers and other bad actors. Firms should actively utilize encryption when transmitting sensitive information on the internet.

Detect

Financial firms should have multiple systems in place to detect cybersecurity issues when they occur. Detection-based recommendations from NASAA include:

• The use of antivirus software
• Antivirus software must be continually updated
• Employees are trained on how to use cybersecurity software
• Utilization of firewalls
• Procedures in place to identify and alert personnel when cybersecurity events occur

Respond

If a cybersecurity event occurs, protocols should exist to properly respond to the issue. NASAA recommends putting the following procedures in place:

• Protocols for notification to the appropriate authorities
• Protocols for notification to the press
• Protocols for notification to impacted clients

Recover

Once a cybersecurity event occurs, the firm must move to protect its digital infrastructure from further attacks. The following protocols should be implemented:

• Determination of whether cybersecurity insurance should be obtained
• Analysis of cybersecurity insurance if purchased
• Ensure cybersecurity is not voided due to employee misconduct
• Business continuity plan in place
• Data retrieval program in place
• Firm provides training on data recovery