Cybersecurity remains vital for investment advisers. As new cyber threats are identified, cybersecurity will remain paramount for these advisers both now and in the future.
The PricewaterhouseCooper (PWC) “State of Information Security Survey 2016” revealed 91 percent of businesses currently follow a risk-based cybersecurity framework. Investment advisers, meanwhile, must be able to identify the key issues associated with cybersecurity as well as the best ways to manage these problems.
Fortunately, cybersecurity guidance is readily available — but first, it is important to examine why cybersecurity is important for investment advisers.
Why Is Penetration Testing for Investment Advisers Important for Improved Cybersecurity?
The U.S. Securities and Exchange Commission (SEC) frequently explores ways to help investment advisers minimize cyber risks. As such, the SEC may require penetration testing to examine the security of an IT infrastructure.
Penetration testing involves trying to exploit vulnerabilities to determine if an IT infrastructure is protected against a wide range of security threats. This testing enables investment advisers to evaluate vulnerabilities in a number of potential points of exposure, including:
- Web applications
- Network devices
- Mobile devices
- Wireless networks
Using automated and manual technologies, investment advisers can conduct penetration testing to determine if cybersecurity exploits can breach an IT infrastructure. If the exploits are successful, investment advisers likely will need to revamp their cybersecurity strategy.
SANS Institute points out that there are two reasons investment advisers may conduct penetration testing:
1. Increased security awareness – Investment advisers can identify cybersecurity issues before they cause extensive IT infrastructure problems.
2. More informed decision-making – Cybersecurity data provides exceptional value, and with penetration testing, C-suite and senior-level executives can identify IT infrastructure weaknesses and determine the best steps to minimize these issues.
Information about any security vulnerabilities found through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
A single penetration test is often insufficient, regardless of an organization’s size. However, investment advisers who devote ample time and resources to perform comprehensive penetration testing regularly can reduce the risk of immediate and long-term cybersecurity problems.
“A penetration test does not last forever. Depending on the organization conducting the tests, the time frame to conduct each test varies,” SANS Institute notes.
Ultimately, periodic penetration testing offers myriad benefits for investment advisers, such as:
- Effective risk management – Want to mitigate risk day after day? Penetration testing delivers actionable data that investment advisers can use to get a baseline to work upon to mitigate risk.
- Improved business continuity – The “2015 Cost of Data Breach Study: Analysis” from Ponemon Institute and IBM indicated business continuity management involved in the remediation of the data breach can reduce the cost of a breach by an average of $7.10 per compromised record. And with penetration testing, investment advisers can better secure data, reducing the risk of a data breach that could prove extremely costly and time-consuming to resolve.
- Increased protection for clients and partners – A cybersecurity incident may cause problems for investment advisers as well as their clients and partners. Thus, taking steps to minimize cybersecurity risks can help investment advisers boost the security of an IT infrastructure while minimizing the risk that partner or client data could be compromised.
In addition, penetration testing serves as an essential IT security assessment for investment advisers because it enables them to meet SEC requirements.
Why Do SEC Registered Companies Need to Evaluate Cybersecurity?
Understanding SEC investment guidance safety is crucial for investment advisers. With this guidance, investment advisers can follow the proper procedures to improve cybersecurity.
The SEC offers several tips for investment advisers to bolster their cybersecurity, including:
- Use periodic assessments – In addition to penetration testing, the SEC recommends investment advisers evaluate both internal and external cyber threats, security controls and processes, how and where sensitive data is stored, the impact of a potential data breach and the governance structure for managing cybersecurity risk.
- Develop a cybersecurity strategy – An effective cybersecurity strategy ensures investment advisers can prevent, detect and respond to cyber dangers without delay. This plan should include data backup and retrieval measures, the use of data encryption and controlling access IT systems via authentication and authorization methods.
- Educate employees, clients and partners – Cyber threats can affect an organization and its employees, clients and partners. Therefore, implementing a cybersecurity strategy and educating all involved parties about it can ensure these groups work together to control cybersecurity risks.
Furthermore, the SEC notes investment advisers may consider reviewing their operations and compliance programs to “assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk.” By doing so, investment advisers can customize their compliance programs based on their everyday operations.
“Because funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses,” the SEC points out. “Additionally, because funds and advisers rely on a number of service providers in carrying out their operations, funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers.”
What Should Investment Advisers Expect From the SEC in the Future?
Cybersecurity assessments will remain essential for investment advisers. Over the next few years, new SEC regulations could also be developed that require investment advisers to further protect their IT systems.
For example, professional services firm Deloitte notes investment advisers need to understand the documentation, processes and controls associated with cybersecurity. Failure to do so could cause immediate and long-term damage for investment advisers as well as their customers and partners.
So what will it take for investment advisers to meet SEC requirements and continue to comply with more stringent cybersecurity regulations down the line? Here are six cybersecurity tips for investment advisers:
1. Document your security protocols.
Investment advisers should document their security approach and how it may change over an extended period of time. Valid documentation ensures these advisers can provide information about their cybersecurity protocols to SEC officials at any time.
Cybersecurity documentation should include:
- Information about the development and deployment of an organization’s cybersecurity governance structure and operating model
- Details about cybersecurity policies and procedures (P&P)
- Cyber insurance documentation
Also, investment advisers should be prepared to show they fully understand cybersecurity risks, and any data breach or cyber attack must be documented and reinforced at all times as well. Investment advisers that understand an IT environment, how this environment functions and how to manage it can minimize cybersecurity risks without delay.
2. Protect your networks and data continuously.
How should investment advisers secure their networks and data? Having the ability to show SEC officials exactly how networks and data are protected ensures investment advisers can avoid fines and penalties due to non-compliance.
Investment advisers need to possess the skills and know-how to effectively employ risk management process standards and controls. In order to do so, investment advisers must be prepared to devote the necessary time and resources to minimize cybersecurity issues day after day.
For investment advisers, education remains crucial, particularly when it comes to cybersecurity. Additionally, those who are committed to meeting SEC requirements can learn about cybersecurity and its importance for their organizations so they can take the correct steps to comply with SEC mandates.
A standards-based approach to cybersecurity remains exceedingly valuable for investment advisers. This approach ensures investment advisers have the right staff in place to manage data consistently. Also, a standards-based approach shows investment advisers understand the vast array of cyber threats that may impact their organizations and possess effective controls that are proven to minimize these issues.
3. Identify the risks associated with customer access and funds transfer requests.
If a customer wants to access their accounts online or complete a funds transfer request, will this client’s sensitive data remain secure? That’s a question investment advisers need to consider. As such, investment advisers will need to do everything possible to identify and manage customer risks.
How investment advisers control and secure customer data is key. These advisers must be able to show the SEC that effective cybersecurity controls are in place to ensure customer information is protected 24 hours a day, seven days a week.
Plus, investment advisers must be able to deliver secure, consistent online access to clients that includes verification mechanisms. In many cases, investment advisers may consider multiple verification systems as well.
Investment advisers must be able to identify unusual behaviors among customers who access their data online, too. Advisers who have ability to monitor customer behaviors can understand the differences between typical and unusual actions when customers access their accounts. With the ability to differentiate between normal and anomalous customer behavior, investment advisers can reduce the risk that customer data becomes compromised.
Investment advisers also may deploy multi-factor authentication (MFA) techniques to further protect customers against cyber threats. MFA minimizes the risk of a minor cyber threat becoming a major issue because it requires customers to pass through multiple layers of security to access their accounts.
As a result, cybercriminals become less likely to guess a customer’s password or gain illegal access to a customer’s account. This ultimately could lead to a significant reduction in cyber attacks because cybercriminals would need to spend additional time and resources to overcome these security layers — something that is exceedingly (or nearly) impossible.
4. Understand the risks associated with third-party vendors.
Investment advisers may partner with third-party vendors to gain additional support. However, selecting the right vendors requires investment advisers to understand how these partners secure their sensitive data.
If a third-party vendor suffers a data breach, it may impact investment advisers as well as their clients and other partners. But investment advisers that work with vendors can ensure these partners effectively safeguard sensitive data consistently, thus reducing the risk of a data breach or other cybersecurity issues.
How well investment advisers know their partners may dictate these advisers’ security risks. Thus, learning about companies before partnering with them provides exceptional value for investment advisers, particularly when it comes to cybersecurity.
Developing an audit checklist may help investment advisers evaluate third-party vendors. This checklist should include questions about how third-party vendors approach cybersecurity, the protocols and processes they have in place and what security functions they manage on site. Investment advisers also should find out if third parties have suffered data breaches in the past, and if so, how they dealt with these issues and took steps to reduce the risk of recurring security problems.
5. Ensure unauthorized activity can be detected immediately.
Cybersecurity monitoring tools can make it easier for investment advisers to identify cybersecurity issues instantly.
When it comes to detecting unauthorized activity, education and tutorials provide significant value for organizations of all sizes. Teaching employees how to avoid cyber risks such as malware and viruses, for instance, minimizes the risk of internal cybersecurity issues. Comparatively, educating customers and partners about cybersecurity ensures these parties can bring any potential cybersecurity concerns or questions to an organization’s attention immediately.
Bridging the communication gap between cybersecurity professionals and investment advisers also is important. Constant communication between cybersecurity professionals and investment advisers ensures both parties can stay informed about rapidly evolving cyber threats. It further minimizes the danger that unauthorized activity will go unnoticed, too.
6. Be as prepared as possible.
When it comes to cybersecurity, it never hurts to be over-prepared whenever possible. In addition, with a strong commitment to cybersecurity improvement, investment advisers can also maintain compliance with SEC regulations.
A diligent approach to documentation provides an organization with actionable insights into its cybersecurity management. Tracking cybersecurity incidents, loss of client information due to a cyber attack and intelligence monitoring for insider threats ensures investment advisers are prepared in the event of a cybersecurity audit. Performing these tasks enables investment advisers to monitor their cybersecurity plans and make informed decisions about how to enhance these strategies.
How Can Vigilant Compliance Help Investment Advisers Address Cybersecurity Concerns?
Cyber risks are becoming increasingly relevant to the Investment Management Industry. For mutual funds, hedge funds and private equity managers, and investment advisers, they must now understand the risks associated with each of these areas. Today, the traditional methods of evaluating and minimizing cyber risks are becoming obsolete. Going forward, investment advisers and broker-dealers must consider innovative technologies to address cyber threats before they become serious issues for an organization, its employees, its investors, clients and its partners.
As a full-service compliance firm, Vigilant Compliance has extensive experience and knowledge of how investment advisers and broker-dealers conduct business. As such at Vigilant, we understand the relevant risks and the IT platforms utilized by your investment adviser and broker-dealer and build a cybersecurity program that is customized to your firm and risk profile.
As part of its Cybersecurity Solution, we implement a thorough review and risk assessment process designed to make and prioritize recommendations to improve your firm’s security. This includes internal and external threat assessments, recommendations for remediation and strategic planning. Risk assessments are conducted through a combination of automated testing, interviews and process reviews. All of the assessments are tailored to the size and needs of your organization. Results of the cybersecurity review and assessment are then compiled and reported back to Senior Management of Investment Advisers and Broker-Dealers. In addition, Clients are provided with a written information and security policy and incident response policy tailored to their business and IT infrastructure utilizing industry best practices.
Modified: November 7, 2018