Cybersecurity

As registered persons continue to modernize their businesses, cybersecurity issues are becoming more common. Many firms now keep customer records and sensitive documents in digital form, often using cloud storage. Since hackers and other bad actors routinely try to steal identities and confidential information, financial institutions need clear ways to protect client data.

The North American Securities Administrators Association (NASAA) created a cybersecurity checklist to help investment advisers and investment adviser representatives (IARs) ensure the integrity of their systems.

*NASAA provides cybersecurity guidance for advisory firms, but doesn’t have much to say about broker-dealers. This difference comes from how each is regulated. Broker-dealers are regulated by both the Securities and Exchange Commission (SEC) (federal) and the state administrator. Because federal law generally supersedes state law, the SEC is the primary source of cybersecurity guidance for broker-dealers. Since this is a state-based exam, those federal rules are generally not covered on the Series 66, while rules and guidance applicable to state-registered advisers are tested. The components of this chapter can be thought of as relevant to all registered persons.

We’ll use NASAA’s cybersecurity checklist to guide us through best practices. The document breaks cybersecurity into five categories:

• Identify
• Protect
• Detect
• Respond
• Recover

Identify

The first step is identifying the cybersecurity risks the firm faces. If you don’t know what threats exist, it’s hard to protect against them. NASAA recommends that firms perform risk assessments and designate specific people to handle cybersecurity issues if they arise. The checklist highlights these best practices:

• Conduct frequent risk assessments (at least annually)
• Risk assessment should include:
  • Review of data collected
  • Where data is stored
  • Identify if data is encrypted
• Identify “insider” risks*
• Identify potential third-party risks**
• Determine if the firm enforces cybersecurity practices***
• Identify internal points of contact in event of a cybersecurity event
• Determine if the firm has proper hardware and software

*An “insider” risk refers to internal threats from disgruntled employees.

**Third parties are persons other than clients that may have access to confidential information. This could include outside vendors (e.g. a company that prints disbursement checks) and authorized parties (e.g. accountants, persons with power of attorney (POA)).

***Best practices involved with cybersecurity include frequent password changes, locking of devices, protocols for reporting stolen information, etc.

Protect

After assessing and identifying threats, the firm should protect its digital infrastructure. NASAA organizes this part of the checklist into several areas:

• Email
• Devices
• Cloud storage
• Firm websites
• Custodians & third-party vendors
• Encryption

Email
Firms should identify what information is being transmitted by email and avoid sending sensitive information through unverified channels. If sensitive information must be sent, the firm should use an authentication system to verify the client. Employees should also understand whether an email is secured or unsecured.

Devices
Firms should know which devices (e.g. computers, phones) can access sensitive information and whether those devices are properly secured. Backups should be performed regularly and tested. Firms should also conduct routine audits of devices and establish protocols for the secure destruction of devices.

Use of cloud services
Registered persons should perform due diligence when selecting third-party cloud vendors. As part of that process, confirm that the vendor has safeguards in place and maintains documentation procedures for breaches.

Firm websites
Firms should identify who has access to the firm’s website. They should also determine whether client data is accessible through the website and, if so, ensure that information is properly secured.

Custodians & third party vendors
When an investment adviser uses an outside firm (e.g. broker-dealer or bank) to maintain custody of client accounts, the adviser should perform due diligence on that firm’s cybersecurity systems. The same applies to outside vendors that may access sensitive client information (e.g. a company that prints client statements).

Encryption
Encryption is the process of encoding information online so it can’t be read by hackers or other bad actors. Firms should use encryption when transmitting sensitive information over the internet.

Detect

Firms should have systems in place to detect cybersecurity issues as they occur. NASAA’s detection recommendations include:

• The use of antivirus software
• Antivirus software must be continually updated
• Employees are trained on how to use cybersecurity software
• Utilization of firewalls
• Procedures in place to identify and alert personnel when cybersecurity events occur

Respond

If a cybersecurity event occurs, the firm should have protocols to respond appropriately. NASAA recommends procedures for:

• Protocols for notification to the appropriate authorities
• Protocols for notification to the press
• Protocols for notification to impacted clients

Recover

After a cybersecurity event, the firm must work to restore operations and protect its systems from further attacks. NASAA recommends implementing these protocols:

• Determination of whether cybersecurity insurance should be obtained
• Analysis of cybersecurity insurance if purchased
• Ensure cybersecurity is not voided due to employee misconduct
• Business continuity plan in place
• Data retrieval program in place
• Firm provides training on data recovery