To help prepare financial services firms for the next round of testing by the Security and Exchange Commission’s Office of Compliance and Examinations, External IT released a white paper identifying three key areas were financial cybersecurity is weak.
The first is the lack of an official information security policy and proactive auditing of internal technology. Second, too many firms allow employees to move company data to their personal and home devices without any tracking measures in place. Finally, many firms still don’t have any disaster recovery or business continuity plans in case a security breach occurs.
After more than 100 security assessments of wealth management firms, External IT found most companies tend to delegate cybersecurity responsibilities to the Chief Technical Officer or hire an outside consultant. According to the report, either choice tends to be reactive rather than proactive, and sets up the firm for trouble. An uninformed employee could be the greatest threat to cybersecurity, the report states.
“Hackers consistently target financial firms more than any other type of business,” said Justin Kapahi, the technical director for External IT’s financial services practice, who added that firms should take IT security as seriously as they do compliance and portfolio performance. “Advisors owe it to their clients to keep them safe and give them the peace of mind they deserve.”
External IT also reported that many firms don’t properly vet third-party vendors or use companies with inadequate technology. Software and data recordkeeping needs to apply to all third-party technology in order to remain complaint, Kapahi said.