Firms’ RIA or Registered Investment Adviser Regulator for Cybersecurity Core ElementsCrelano@mahadvising.com
Today, an increasing number of financial services firms conduct their business digitally. These firms use innovative technologies to make every part of their day-to-day operations more convenient and cost-effective. With a client portal, your clients can easily complete and sign their necessary documents, conduct meetings with advisors, and access live portfolio reports.
As a matter of fact, the convenience of the digital, online age has made business more accessible to more people and helped them to take advantage of more opportunities, but increased vulnerability has also been experienced by registered investment advisers (“RIA”) firms. As technology advances rapidly, hackers often find weaknesses they can exploit to access customer data.
RIAs face unique cybersecurity risks in relation to their technology, staff, clients, and third-party vendors. And any of these areas can result in a massive data breach if a firm fails to guard them accordingly. You may never fully recover from reputational damage caused by a cyber-attack. Also, they do more than expose sensitive client information. Furthermore, state regulators or the Securities for Exchange Commission (“SEC”) may not take cybersecurity vulnerabilities lightly in the context of an audit. Security has been flagged as a priority among investment adviser regulators for a number of years
The following are three specific areas where RIA firms face unique cybersecurity issues:
1) Risks posed to people
RIA firms and other organizations in the financial sector are prone to phishing attacks, which are one of the most common ways hackers obtain access to their systems.
The goal of a phishing campaign is to convince an employee(s) of a firm to perform some type of action that will lead to the installation of malware on the company’s network. Sometimes, the employee does not recognize the sender of the email, but the email appears to be harmless. Also, you might also notice a similarity between the business address and that of the firm. An example would be if the firm’s email addresses ended in @mahadvisingria.com, and the bad actor sent emails from @mahadvising.ria.mail.com.
In the email itself, you may see a message that says, “Are you familiar with this?” along with a link. Subject lines typically include words such as “Urgent” or “Important.” Do you think it can be that easy? In 2020, phishing was the most popular hacker technique, and 74% of companies suffered an effective phishing attack, as reported by the Federal Bureau of Investigation (“FBI”). Among the reasons was the shift to remote work resulting from the pandemic. As a matter of fact, there have been 11 times as many phishing attempts in 2020 as there have been in 2016.
In RIA firms that have been the victims of successful phishing, ransomware is a common outcome. In the case of ransomware, hackers are able to disable the technology of a company, to keep their data hostage, and even to threaten to sell that information, unless they receive a fee from the firm.
With just one innocent click, hackers can gain access to their computers. S, in order to defend against phishing, you must teach your employees how to identify phishing scams. With their increasing awareness, your vulnerability will decrease in this area. A client must also be educated on how you will communicate and what information you will need from them in addition to educating your team.
The Internal Revenue Service (“IRS”) and other institutions may have sent out notices to their clients saying that they never ask their clients for personal information over the phone. And this is a protection against impersonators. Be as transparent as possible with your clients: explain exactly how their information will be collected, and emphasize the ways in which you will contact them.
2.) Risks related to technology
Education can often find a way to mitigate people-related risks, while you can often reduce technology risks through the use of the security options offered by your current IT provider.
RIAs failed to adequately protect their storage solutions, which is a particularly vulnerable area, according to the SEC risk alert released in May 2019. Most of the time, setting up the security settings on the storage solution was the solution. Specifically, they pointed out three areas, investment advisors or investment adviser regulators often overlook:
- Storage solutions that are not configured appropriately: Misconfigured settings typically stem from poor oversight when storage solutions are implemented. Our recommendation is to use a third party resource for the initial installation of data storage on-premises and for on-going monitoring and maintenance for firms that lack the resources and expertise to do so.
- A lack of oversight of vendor-provided cloud storage: Today’s cloud-based storage solutions come with a host of cutting-edge cyber security features. Firms, however, must implement these features correctly. Security features such as encryption and two-factor authentication should be utilized by RIA firms whenever they are available in order to better protect sensitive information.
- Insufficient procedures and policies regarding data classification: Advisory firms need to determine appropriate controls for each category of data stored electronically in order to protect sensitive information. Ensure you are taking advantage of the protection you are already paying for by reviewing your security settings throughout your storage solutions.
3) Risks associated with third-party vendors
In order to make it easier to remember, people tend to use similar passwords and usernames on multiple systems. However, credential stuffing, a common hacker technique, often comes at a high cost when such conveniences are offered.
A hacker might use a spreadsheet he/she obtained from a previous attack to try and gain access to another system by stuffing credentials. And it is certain that they will try countless times to gain access by using all the passwords they have. Therefore, how does this relate to third-party vendors? So, in accordance with the SEC:
“Firm’s internet-facing websites (including systems hosted by third-party vendors) are the most vulnerable because if compromised, attackers can initiate transactions and/or gain access to non-public information.”
Access to login sites like your client portal unfortunately provides hackers access to highly valuable information.
In addition, a third-party vendor may pose a greater risk to advisers and investors because sensitive information is often kept on the systems of a third party vendor. Further, since remote work is becoming more prevalent, communication has grown via non-official channels, including texting and documents sent via Zoom chats. While the internet era is extremely convenient, investment adviser regulators must still make sure their security is an important part of their daily routine-both for their clients’ sake and for their own.
Would you like assistance setting up a comprehensive cybersecurity defense? Contact us now!