Earlier this week, the SEC announced that an RIA based in St. Louis will be fined $75,000 for not properly guarding their client data from hackers. And they were hacked! Hacked from a sourced traced to China who accessed the RIAs server with the personal information of approximately 100,000 clients.
The SEC tells us that none of the 100,000 clients whose information may now be in the hands of cyber criminals have reported any financial harm as a result.
That’s good news for the clients!
But this is not good news for the St. Louis advisor’s brand and reputation.
The SEC was very clear about their stance on how RIAs must protect their data regardless of the outcome of a hack or the size of the firm:
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
Adopting Written Policies
The SEC wants you to have them in place. You might already have bits and pieces or perhaps you created them a few years ago and know you need to revisit. Here are just a few places to start.
- Know what you’re protecting and where it is. By conducting a full asset inventory of your data and systems, you know what you have and where it is. You will want a list of all your hardware, software, applications, data, files and media regardless of its sensitivity. You want to know its location, who owns and uses it, who can access it and you can even assign a priority level or security level to it. This includes managing mobile devices. If your company has a BYOD policy, be sure you understand who has what and how it accesses your systems and data.
- Employee onboarding and training. The number varies depending on where you look, but many sources suggest that at least half of all security breaches come from employees – either accidentally or maliciously. Whatever the cause, you want to minimize the chance that the person down the hall from you could be the cause of a cyber nightmare. Know who you’re hiring by using proper screening practices and provide employee training when they’re hired and throughout their employment at your firm. Your Internet Usage Policy should also be part of the training and onboarding process to educate and remind employees of what they can and can’t do online with company hardware, software and internet access.
- Control Access. Not everyone at the firm requires access to everything – digitally or physically. Policies should dictate that your servers or other sensitive hardware are off limits to anyone other than those who have some ownership of them. The same is true for data and software or applications. If someone doesn’t require access to it as a regular part of their job then they don’t need access. Have a process in place to assign, remove and review all access permission levels.
- Adopt security best practices. We talk about this a lot with RIAs. We have our Top 10 that we seem to always be on our soapbox about. When it comes to getting your plan in place, you will want these to become part of your standard practices:
- Automate your backups so you don’t have to rely on anyone to do it.
- Consider going off site with your backups. The cloud is often the most convenient solution.
- Image your server as a way to restore data if something is to happen
- Maintain everything. The software and hardware you’ve created an inventory for needs to be kept current to prevent any vulnerabilities from showing