By Sid Yenamandra
Broker/dealers and large RIAs manage workforces that operate in various decentralized locations. It would behoove them to adopt a cybersecurity model that is already being adopted outside of the advice industry. The “Zero Trust” approach to data security redefines corporate identity management as we know it.
Under a Zero Trust approach, every service request made by a user or device is evaluated based on risk, authorized and then secured end to end with documented evidence. In the independent wealth management space, the situation is complicated by the fact that users may include employees, advisors, third-party vendors and clients.
Of course, as long as a firm supplies people with software and hardware that they can use on their own, the firm is effectively “entrusting” those people with sensitive information and resources. However, unlike the honor system of taking people solely at their word, firms must be able to verify how sensitive information is used and place enforceable restrictions on how that information can be used.
People as the Perimeter
Cloud applications and distributed users are creating a host of new security challenges. The network is no longer the security perimeter. People have become the perimeter. Companies need a flexible security architecture that complies with regulations and can accommodate a dispersed and mobile workforce using many apps and devices, from anywhere and at any time.
With a web application, financial advisors frequently log in to a portal to view their commission statement. When they enter their credentials at the log-in screen, the authentication process should require more than sending a six-digit text to their mobile device. The broker/dealer’s system should further investigate the cybersecurity of each user’s device to account for the varying safety levels of each user’s network, how up to date each user is with periodic security awareness training, each user’s score on those tests and the direction of the score’s trend line to determine whether users are improving.
Similar concepts apply to banks, which intersect with wealth management firms by holding large portions of client assets. When an employee accesses a cloud banking application to process a loan, a broker/dealer’s data should remain secure in the face of vulnerabilities on the employee’s device or network. Furthermore, the firm needs to detect those vulnerabilities and ensure the employee remediates them before receiving access. From a policy standpoint, the firm also must anticipate which party would be liable if the banking session gets hacked: the employee, the broker/dealer or the bank?
Minimize Human Error
When building a Zero Trust security architecture, keep in mind that the main purpose is to minimize the chance of data breaches due to human error. In part, firms do this by developing a demonstrable culture of continuous compliance.
To minimize data breaches, every service request must be treated as a possible source of a breach and therefore be properly evaluated, authorized and then secured end to end. This model also must account for each user’s holistic cyber identity — a combination of user credentials plus additional factors such as the device’s cybersecurity posture, the vulnerabilities of any access networks and the user’s awareness of current security issues.
Firms should implement a policy-based user authentication and authorization strategy. The access policy framework must be based on several factors, which vary across companies but must encompass the cybersecurity posture of the device. This includes anti-virus and disk encryption status; patches for the operating system; identifying network vulnerabilities such as whether the device is connected to a secure wi-fi network; and whether the user knows corporate cybersecurity policies and key cyber threat concepts.
One of the most important concepts of taking a Zero Trust approach to cybersecurity is that different elements of the user authentication and authorization policy may need different weightings. In a similar vein, broker/dealers and RIAs should inventory each user, device and network that accesses the system. It’s also a good idea to eliminate static credentials and passwords, which are the most common source of breaches. A final consideration is to understand and document behavioral patterns. Every company operates differently so their processes and behaviors of their users are likely to vary as well.
Collaborate But Verify
Accomplishing all this requires broker/dealers and RIAs to adopt a platform that automates many of these tasks while providing human expertise to manage the flow of cybersecurity data. The software also should give each firm and user a score capturing their respective levels of cybersecurity risk based on their actions. With such a unified defense system in place, firms can focus on their core competency of financial advice.
A Zero Trust approach to cybersecurity does allow for broker/dealers and RIAs to collaborate with their teams, vendors and clients. Indeed, that is a tenet of good business. Another tenet of business is to maintain a secure operation, by verifying how information can be used and making every best effort to control how it is used, for the good of all.
Sid Yenamandra is the co-founder and CEO of Entreda, which provides comprehensive cybersecurity solutions for independent retail financial advice firms and their advisors.