As a complement to its compliance technology, RIA in a Box announced a standalone and bundled version of a cybersecurity training and attack simulation platform, designed specifically for RIAs. The platform, which does not have its own product name and is sold as a monthly subscription service for firms, also includes tools to take stock of a firm’s technology inventory and the ability to build a customized information security policy. A standalone package starts at $250 per firm per month, with 10 user licenses, while the version bundled with the MyRIACompliance package starts at $200 per firm per month.
Training portions of the offering include videos, quizzes and test questions for users, as well as separate modules for employees and the firm’s CCO. The subscription pricing hints at the ongoing nature of the training that comes on the platform. That’s because the days of a one-off set of cybersecurity lessons are numbered, said of the compliance technology provider. “If you look at any recent enforcement actions that have been related to cybersecurity, they virtually all start with a human mistake that was due to a lack of training,” he explained. “We believe that the right way to conduct training is to conduct ongoing training and from a regulatory standpoint, that's kind of what they're looking for.”
The service will also have a system for tracking incidents and ensuring that they have been resolved, as well as automated phishing emails that are sent to test employees. Another feature of the offering is the device inventory, which allows firms to document the security measures included on employees’ devices.
The platform is a good first step for firms, but shouldn’t be seen as an end-all, be-all solution, said John Boulanger, founder of cybersecurity firm Stillwater Cyber Compliance in Philadelphia. He worries that a tech-based solution might not provide the right level of nuance for small, regional firms. “Our community right now is just woefully beguiled,” he said. Too often firms fail to get a second opinion on their security measures and training because they’re lured into a sense of false security by vendors and software giving them the “all clear,” he noted.
“If we get news we expect, we will never get a second opinion,” he explained.
Another concern of Boulanger's was the notion that all employees at a firm would be able to keep up with the training. He likened a tech-based approach to a required college course: Not all the students in the class might master the concepts, and without a teacher at the head of the classroom, those students might be overlooked. “You have to have the human touch involved,” he added.
Former compliance consultant and co-founder of Complect, Hanh Nguyen, cautioned that one-size-fits-all training tends to fall flat. “One of my frustrations as a compliance consultant is when clients think they can just completely outsource a function and pawn off responsibility onto that third-party service provider, without having to spend time and care on it. It’s just not possible,” she said. “All tech and all consulting is a collaborative effort. Training will fail if the training isn’t tailored to the company’s actual policies and procedures.”
It should help that RIA in a Box’s offering is designed for the wealth management industry. Another tool that offers phishing attack simulations and other security awareness training, KnowBe4, offers a more expensive service that is more generalist. RIA in a Box already has 50 firms signed up for the service, King said.
While RIA in a Box is certainly trying to make its product attractive to smaller firms, there may be a limit to the size of the firm that can afford its product, said Mark Bell, a former regulator and principal consultant at the cybersecurity and compliance firm Tirador Compliance LLC in Englewood, Colo. “The RIA in a Box cybersecurity platform looks like an offering that is designed to meet what regulators are requiring from advisory firms,” he said, but added that its value will partially depend on whether it ends up simplifying life for a CCO, or making it more complicated. “I don’t know how helpful a one-person firm will view the phishing attack simulation, but I can see how it would provide the CCO of a larger firm a level of testing and rep supervision.”
While the overall value of the product remains to be seen, there’s little argument that more cybersecurity training for advisors and other wealth management professionals is a good thing. “You and your firm’s staff are either your greatest cybersecurity defense—or weakness,” noted King. “The human side is far too often overlooked.”