Cybersecurity

As registered persons continue to modernize their businesses, cybersecurity issues are becoming more common. Many firms now keep customer records and sensitive documents in digital form, often using cloud storage. Because hackers and other bad actors routinely try to steal identities and confidential information, financial institutions need clear ways to protect client data.

The North American Securities Administrators Association (NASAA) created a cybersecurity checklist to help investment advisers and investment adviser representatives (IARs) ensure the integrity of their systems.

*NASAA provides cybersecurity guidance for advisory firms, but doesn’t have much to say about broker-dealers. This difference comes from how each is regulated. Broker-dealers are regulated by both the Securities and Exchange Commission (SEC) (federal) and the state administrator. Because federal law generally supersedes state law, the SEC is the primary source of cybersecurity guidance for broker-dealers. Since the Series 65 is a state-based exam, those federal broker-dealer rules are generally not tested, while rules applicable to state-registered advisers are. Still, the ideas in this chapter are useful for all registered persons.

We’ll use NASAA’s cybersecurity checklist to guide us through best practices. The document breaks down cybersecurity into five categories:

• Identify
• Protect
• Detect
• Respond
• Recover

Identify

The first step is identifying the cybersecurity risks the firm faces. If you don’t know what threats exist, it’s hard to protect against them. NASAA recommends that firms perform risk assessments and designate specific people to handle cybersecurity issues if they arise. The checklist highlights these best practices:

• Conduct frequent risk assessments (at least annually)
• Risk assessment should include:
  • Review of data collected
  • Where data is stored
  • Identify if data is encrypted
• Identify “insider” risks*
• Identify potential third-party risks**
• Determine if the firm enforces cybersecurity practices***
• Identify internal points of contact in event of a cybersecurity event
• Determine if the firm has proper hardware and software

*An “insider” risk refers to internal threats from disgruntled employees.

**Third parties are persons other than clients that may have access to confidential information. This could include outside vendors (e.g. a company that prints disbursement checks) and authorized parties (e.g. accountants, persons with power of attorney (POA)).

***Best practices involved with cybersecurity include frequent password changes, locking of devices, protocols for reporting stolen information, etc.

Protect

After identifying threats, the firm should take steps to protect its digital infrastructure. NASAA breaks this part of the checklist into several categories:

• Email
• Devices
• Cloud storage
• Firm websites
• Custodians & third-party vendors
• Encryption

Email
Firms should identify what information is being transmitted via email so they can avoid sending sensitive information through unverified channels. If sensitive information must be sent, the firm should use an authentication system to verify the client. Employees should also understand the status of emails (for example, whether an email is secured or not).

Devices
Firms should know which devices (e.g. computers, phones) can access sensitive information and whether those devices are properly secured. Backups should be performed routinely and tested. Firms should also conduct routine audits of devices and establish protocols for the destruction of devices.

Use of cloud services
Registered persons should perform due diligence when hiring third-party vendors for cloud services. As part of that due diligence, confirm that the vendor has safeguards in place and a documentation system for breaches.

Firm websites
It’s important to identify who has access to the firm’s website. Firms should also determine whether client data is available on the website and, if it is, ensure that information is secured.

Custodians & third party vendors
When an investment adviser uses an outside firm (e.g. broker-dealer or bank) to maintain custody of client accounts, the adviser should perform due diligence on that firm’s cybersecurity systems. This also applies to any outside vendors that have access to sensitive client information (e.g. a company that prints client statements).

Encryption
Encryption is the process of encoding information online to help prevent hackers and other bad actors from reading it. Firms should use encryption when transmitting sensitive information over the internet.

Detect

Firms should have systems in place to detect cybersecurity issues when they occur. NASAA’s detection recommendations include:

• The use of antivirus software
• Antivirus software must be continually updated
• Employees are trained on how to use cybersecurity software
• Utilization of firewalls
• Procedures in place to identify and alert personnel when cybersecurity events occur

Respond

If a cybersecurity event occurs, the firm should have protocols to respond appropriately. NASAA recommends putting these procedures in place:

• Protocols for notification to the appropriate authorities
• Protocols for notification to the press
• Protocols for notification to impacted clients

Recover

After a cybersecurity event, the firm must work to recover and protect its digital infrastructure from further attacks. The following protocols should be implemented:

• Determination of whether cybersecurity insurance should be obtained
• Analysis of cybersecurity insurance if purchased
• Ensure cybersecurity is not voided due to employee misconduct
• Business continuity plan in place
• Data retrieval program in place
• Firm provides training on data recovery