Disclosure: Please note that the information in this blog and email is based on reports from the SEC that is subject to change and is not our advice. Please refer to the U.S. Securities and Exchange Commission at https://www.sec.gov/ for the latest cybersecurity and compliance information.
As an RIA, you must build a relationship with your clients based on trust. One of the most significant aspects of such trust is managing and protecting sensitive and personal information for investors. Security cameras, ID badges, and locked file cabinets have all been used in the past, but in today's fast-moving digital world, cyber-attacks have emerged as a new (and invisible) threat. According to a recent study, on average, organizations face over 1,100 attacks per week.
Financial firms and institutions have been urged to implement cybersecurity policies and procedures to continue providing investors with data protection. You can keep your firm secure and protected by following these steps and looking at ongoing regulatory proposals.
Disclosures Regarding Cybersecurity Proposed By The SEC
A proposed rule by the SEC called "Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure" was released in March 2022. Among other changes, this disclosure mandates that cybersecurity incidents must be reported within four business days based on evolving concerns about online data security.
Last year, the press release issued by the SEC stated: "The proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents."
Registrants will be required to adhere with this ruling by:
Establishing policies and procedures that are adequate for detecting and preventing cybersecurity incidents.
Periodically reports, including disclosure of past incidents.
Reporting on ongoing cyberattack provisions.
Adapting To Security Changes In 2023
In the RIA sector, leadership is crucial in overseeing and implementing proactive cybersecurity defenses so your firm can respond and recover quickly. Cyberattacks and compromised data are serious threats that should be adequately prepared for, particularly in today's tech-driven world. The SEC is proposing regulatory changes in response to the "when, not if" likelihood of cyber threats.
1. Continually Train Your Team
Every individual on your team can serve as the first line of defense against cyberattacks and data breaches by receiving ongoing and robust cybersecurity training.
The senior members of your RIA firm may be responsible for monitoring ongoing cybersecurity measures, but every employee should understand the danger of cybersecurity breaches. Teach them how to identify suspicious emails, detect if their computers are infected, and report any suspicious activity immediately to the appropriate team leader.
2. Protect Yourself By Building A Virtual Wall
To protect your firm's information, your network infrastructure should work in tandem with your cybersecurity policies and procedures. When team members work remotely or in multiple offices, it can be challenging to monitor and manage the security of critical business and client data.
Think about implementing a virtual desktop infrastructure that maintains information security standards while allowing employees to work from anywhere. In addition, there are a few policies you can implement in your advisory firm to help further protect sensitive data, including:
"Restricted access" or "acceptable use" based on job responsibilities.
The use of encryption across the board.
Limited mobile device usage.
Inventory of devices used.
Keeping an up-to-date list of your technology stack can be helpful if you don't already, particularly if you need to adhere with cybersecurity requirements in the future. Obtain and keep vendor cybersecurity policies on file, and have an appointed team member review the incident reporting process.
3. Periodically Prepare Reports
According to SEC regulations, firms may be required to maintain records of cybersecurity incidents and preventative measures. Creating safety and security reports regularly can help your company identify potential vulnerabilities or assure that your cybersecurity policies and procedures are working.
Examples of standard cybersecurity reports include:
Patch management reports.
Virus scan reports.
Whenever you run a report or encounter a possible cybersecurity breach, keep detailed records. A member of your team (or team members) should know how to access this information efficiently.
4. Review Your RIA Firm's Cybersecurity Policies Regularly
Regularly reviewing your firm's procedures can provide regulators with documentation of your cybersecurity program. Your prevention and detection program must remain current and flexible to adapt to emerging cybersecurity threats to remain secure.
5. Simulate Attacks To Test Your Defensive Measures
An authorized simulated cyberattack on your infrastructure and systems may be necessary for your management team to understand your strengths and weaknesses before an actual cyberattack occurs.
As a result of this test, your employees should be better able to understand their roles in protecting sensitive information, and your firm should be able to evaluate the effectiveness of its defensive measures.
Maintaining Your Firm Cybersecurity In The New Year
Online threats to consumer data and investor identity are severe to the SEC. They are increasingly enforcing cybersecurity regulations regarding safeguarding client data and record-keeping, as demonstrated in 2022.
To ensure that your firm stays up-to-date with evolving cybersecurity concerns, you may find it beneficial to partner with a technology partner. Moreover, Nifty can help leverage all the right resources and tactics to protect sensitive data. Get in touch with us today to learn more!