In a February 2015 Risk Alert, the SEC published their findings of an examination of 57 registered broker-dealers and 49 registered investment advisers. The purpose of their examinations was to gain insight into how the two groups were doing with respect to cybersecurity in three areas: legal, regulatory and compliance. The findings revealed that 88% of the broker-dealers and 74% of advisers directly or indirectly via vendors, experienced some form of cyber-threat. Most commonly, the threat came in the form of malware or fraudulent emails.
For many of us, malware and fraudulent emails are something we’re on the lookout for. Maybe even well prepared for. But in the financial industry, which is interconnected more than most industries, it isn’t just important that you and your firm are well prepared, it’s important that the industry is well prepared.
An industry at risk of a “Single Point of Failure”
Sarah Dahlgren, Executive VP at Federal Reserve Bank of New York spoke of the “single point of failure” threat during the OpRisk North America Annual Conference this year. We weren’t there but we read her remarks online and so can you. She sheds light on the risk to the financial services industry because so many of our systems are intertwined. If there is a single weak spot, it could be catastrophic.
How this translates to your firm.
While most RIA firms may not be able to solve the larger industry problem, you can think about this in the context of your own firm. If there is a “single point of failure” inside your firm, what kind of impact can it have on your operations?
If you have a solid and comprehensive backup and recovery plan in place, a cyber-attack might only have a small impact. But if you don’t have a plan, you should put one in place, and know that you might not recover from a cyber-attack as easily.
A few points of advice
We recently published some of the top cybersecurity tips we often share with RIAs in a recent blog Are Small RIAs Perfect Targets for Cybercriminals? But in this context, there are a few other things we wanted to point out:
- Train your employees well. If malware and fraudulent emails are the most common attack, training all your employees thoroughly and reminding them on an ongoing basis will be important. We’ll be publishing a blog focused on employee training in the coming weeks so watch for it if this is a concern for you.
- Do due diligence on all the vendors and companies who have access to your system. You might trust that they aren’t “hackers” but you also want to be sure that they themselves are not vulnerable and will become that “single point of failure” into your system.
- Consider taking an outsider’s look at where you’re vulnerable. A thorough Cyber Security Assessment Review can show you what a hacker can see by examining your external, internet facing systems and helping you prioritize improvements and changes.