Perusing the news of recent regulatory actions, I noted several against wealth management firms for cyber breaches. These attacks had resulted in the takeover of email accounts and the exposure of client data. A quote in the regulatory action statement caught my eye as though it had leapt off my screen:
"It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit.
The quote highlights the gap that often exists between firms’ policies and procedures and the cybersecurity measures, solutions and platforms they actually have in place. The sad fact is that some firms take a CYA approach to cybersecurity, one that seems more aimed at satisfying the bare minimum of requirements on documentation rather than actually protecting user data.
For wealth management firms to be serious about keeping their users and clients safe, they must walk the walk, not just talk the talk. “Walking the walk” involves ensuring that three general needs are addressed, in addition to the initial step of making sure written policies meet SEC and FINRA guidelines.
Comprehensive Risk Assessment of a Firm’s Cybersecurity Posture
Understanding the most pressing threats a firm faces first entails getting a holistic lay of the land on where its vulnerabilities are. Gaps in the defenses can lurk in hardware—mobile and laptop devices, connected peripherals and network infrastructure.
They can also emerge in any number of the software platforms and solutions that firms and advisors use to manage accounts and serve clients. And they can be with users themselves, particularly those who are less careful about opening email links and clicking on attachments.
A robust cyber defense system starts with having the ability to analyze information on vulnerabilities, wherever they may be hiding, and give information security and data privacy decision-makers the complete picture of their organizations. If they don’t have that 360-degree view, they can be sure that the next attack will exploit their networks’ blind spots.
A Holistic Cybersecurity Risk Mitigation Plan
Armed with the comprehensive perspective of their cyber risk posture, firms should implement an equally comprehensive plan to address their vulnerabilities.
This includes the capability to continuously monitor cyber posture in real time, including devices, networks and users, so that firms can stay ahead of the dynamic nature of cyber threats. For example, the first time a user tries to access the network through a new device, systems can evaluate the risk the device presents, in addition to gauging the risk entailed in allowing the user in. For example, has the user completed requisite phishing training and simulations?
The system should be able to automatically remediate any red flags it encounters in real time before it allows access to a risky device or user. If the new device is running an older, less protected version of its operating software, for example, the firm’s cyber systems can automatically send a patch to be installed. If a user is out of date on security training, the system can lock them out of the network until that training has been completed.
Equal attention should be paid to third-party vendors whose work with the firm necessitates access to sensitive data.
Ensure Audit Reporting Needs Meet Stringent SEC/FINRA Guidelines
Once firms have documented their policies and procedures and implemented the necessary systems to diagnose, monitor and remediate their networks’ vulnerabilities, they must be able to “show their work” to regulators should they be audited. If breaches still occur, they must make all required notifications to affected users and clients.
Necessary—But Not Sufficient
In the end, having policies and procedures that lay out the broad-brush strokes of a holistic cybersecurity plan is a necessary and fundamental first step to protecting sensitive data from cyber thieves. It’s the defense plan, as it were.
Yet the best game plan in the world means nothing if a firm’s cybersecurity team does not put the infrastructure and solutions in place to implement the plan. Firms must make sure they are more than just talk on cybersecurity; they must put that talk into action.
Sid Yenamandra is the founder and CEO of cybersecurity compliance software provider Entreda, a wholly owned subsidiary of Smarsh.