Of the 22 SOLUTIONS workshops Charles Schwab conducted in 2016, 90% of RIA business owners surveyed cited cybersecurity as their #1 concern.
Michelle Thetford, moderator of a cybersecurity panel at Schwab IMPACT®, shared two main reasons for why cybersecurity is of increasing concern. First, cybersecurity incidents are becoming more frequent. Second, stolen client data has a direct impact on both the financial risk and reputation of affected RIAs.
Here’s what you should do to lessen the likelihood of a security breach and what you can do to limit the damages if one does happen.
Educate employees on cybersecurity
Employees may pose the greatest security risk of all. Though not with malicious intent, an employee may unwittingly respond to a fraudulent request — like a phishing email — or otherwise compromise security.
In a 2016 Forbes interview with Michael Madon, a recognized leader in the field of cybersecurity, Madon stated: “Too many companies are looking for a technical solution to what is essentially a human problem… Most security professionals agree that awareness training is the best way to tackle the [cybersecurity] problem.”
Don’t assume a cybersecurity policy covers your loss
Several compliance officers at the 2016 Schwab IMPACT® conference took a hard look at cybersecurity insurance policies. They found many policies don’t cover a cybersecurity incident if the reason for the breach is because the firm didn’t follow their policy or procedure.
When you’re reviewing cybersecurity policies, look closely at when coverage is excluded, because there is nothing worse than thinking you’re covered when you’re not. In addition to the increasing risk of a data compromise, pointing out holes in cybersecurity coverage can also help convince firm owners of the need to put a cybersecurity program in place.
Build a cybersecurity program
Here are some steps and resources to get underway.
- Assess risk. When the moderator of a Schwab IMPACT® panel asked authors of cybersecurity programs at two large RIAs what they would do differently, they both said: start a lot sooner, especially with employee training.
- If you custody any assets at Schwab, check out the Cybersecurity Assessment and Action Plan tool on the Schwab Cybersecurity Resource Center (note: you must have login credentials to access).
- Adam Moseley, Managing Director of Business Consulting Services at Schwab, describes how this assessment tool helps identify and prioritize risks in his presentation at the 2017 T3 conference.
- The National Institute of Standards and Technology (NIST) cybersecurity framework is another great resource to assess your risk. It is the foundation on which many cybersecurity programs are built.
- Protect against threats. Leverage your IT provider to ensure only appropriate people have rights to certain data, help you determine how you’ll prevent data from being compromised and how you’ll approach employee training and vendor management.
- Detect potential problems. Test and troubleshoot. For example, some firms intentionally send out a fake email to their employees to see which of them click on a link. For those who do, the link sends them to a web page with a warning message: “This was just a sample trial to see what you would do. You should not have clicked on this link as it could have resulted in a malicious outcome for the firm.”
- Create a response process. Define how your firm will respond when a cybersecurity incident occurs to include what types of incidents require a client notification, how you will notify clients, and what that communication will be (what information will you provide, will you offer credit monitoring service, who should they contact if they have more questions).
- Because employees are one of the biggest risk factors for compromised data, make employee training your first step. Many IT firms and service providers now offer cybersecurity education for hire. In an upcoming post, we’ll share tips on how to make cybersecurity everyone’s favorite lunch and learn.
- Before purchasing a cybersecurity policy, ask to see a sample policy so you can review what would not be covered when you report an incident.
- Check out the SEC for cybersecurity guidance updates or the Schwab resource center on cybersecurity for more information.