As registered persons continue to modernize their businesses, cybersecurity issues are becoming more prevalent. Nowadays, firms tend to maintain customer records and sensitive documents digitally and in the cloud. Knowing that hackers and other bad actors routinely attempt to steal identities and sensitive information, how do financial institutions protect their clients? The North American Securities Administrators Association (NASAA) created a cybersecurity checklist to help investment advisers and investment adviser representatives (IARs) * ensure the integrity of their systems.
*NASAA provides cybersecurity guidance for advisory firms, but doesn’t have much to say about broker-dealers. This is because of how each person is regulated. Broker-dealers are regulated by both the Securities and Exchange Commission (SEC) (federal) and the state administrator. The SEC primarily provides guidance on cybersecurity to broker-dealers given federal law supersedes state law. Because this is a state-based exam, those rules are generally not covered on the Series 66, but rules applicable to state-based advisers are tested. The components of this chapter can be thought of as relevant to all registered persons.
We’ll use NASAA’s cybersecurity checklist to guide us through best practices. The document breaks down cybersecurity into five categories:
It’s important for registered persons to identify the cybersecurity risks they face. After all, how do you protect yourself against something if you don’t know it exists? NASAA recommends firms institute risk assessments and identify certain persons within the firm to handle cybersecurity issues if they arise. The checklist specifically calls out the following as best practices:
*An “insider” risk refers to internal threats from disgruntled employees.
**Third parties are persons other than clients that may have access to confidential information. This could include outside vendors (e.g. a company that prints disbursement checks) and authorized parties (e.g. accountants, persons with power of attorney (POA)).
***Best practices involved with cybersecurity include frequent password changes, locking of devices, protocols for reporting stolen information, etc.
Once cybersecurity threats have been assessed and identified, the firm should move to protect its digital infrastructure. NASAA breaks down this part of its checklist into several categories:
Email
Firms should move to identify the information transmitted via email, in hopes of avoiding the distribution of sensitive information through unverified means. If sending sensitive information, the firm should have an authentication system in place to verify its client. Additionally, firm employees should be aware of the status of emails (whether they’re secured or not).
Devices
Firms should be aware of what devices (e.g. computers, phones) have access to sensitive information, and whether those devices are adequately secured. Routine backups should occur and be tested. Routine audits of the existing devices should be facilitated. Protocols relating to the destruction of devices should be created as well.
Use of cloud services
Registered persons should perform due diligence when hiring third-party vendors for cloud services. Confirming the vendor has safeguards in place and a documentation system for breaches must be confirmed as a part of the due diligence process.
Firm websites
Identification of the persons with access to a firm’s website is important. Additionally, firms should identify whether client data is available on the website, and if so, ensure that information is secured.
Custodians & third party vendors
When an investment adviser uses an outside firm (e.g. broker-dealer or bank) to maintain custody of their client accounts, due diligence should be performed on their cybersecurity system. This also applies to any outside vendors that have access to sensitive client information (e.g. a company that prints client statements).
Encryption
Encryption is the process of encoding information online for the purpose of hiding it from hackers and other bad actors online. Firms should actively utilize encryption when transmitting sensitive information on the internet.
Financial firms should have multiple systems in place to detect cybersecurity issues when they occur. Detection-based recommendations from NASAA include:
If a cybersecurity event occurs, protocols should exist to properly respond to the issue. NASAA recommends putting the following procedures in place:
Once a cybersecurity event occurs, the firm must move to protect its digital infrastructure from further attacks. The following protocols should be implemented:
Sign up for free to take 1 quiz question on this topic