March 28, 2016
- Managing Director, Institutional Oversight and Control, TD Ameritrade Institutional
When it comes to data security, 2015 was a groundbreaking year in the financial industry. For the first time, the SEC officially chimed in and started to define the steps firms need to take to avoid a breach, along with the potential consequences in not following the defined standards, as evidenced in the first publicly disclosed enforcement actions against an RIA for not complying with the new standards. And it’s not just the SEC who’s watching. Your clients also want to know that you’re handling their data with care.
In addition to studying the SEC’s new guidelines, there are a number of ways to avoid breaches. Some can even be achieved at little to no cost to your firm. And while you may need to make a financial investment to get the job done, the amount of money you spend will pale in comparison to the fees, fines, attorney costs, and other expenses that go hand in hand with a data breach, not to mention the blow your firm’s reputation will take in the aftermath.
Implement data loss prevention tools
The most obvious part of the equation is to invest in software and other risk management tools that will protect your clients’ data. These tools may include:
• Secure, encrypted email
• Managed anti-virus/anti-spyware
• Managed and corporate firewall
• Full-disk encryption
• Two-factor authentication
• Password management
For many firms, the responsibility of data security falls on their IT professional, but you should consider making cybersecurity a C-level responsibility. The reason is simple—cybersecurity requires constant monitoring. While your IT resource is surely capable, it’s likely that between fixing hardware, staying on top of software issues, and managing your firm’s network, he or she just does not have the time required throughout the day to defend against cyberthreats properly.
If you rely on an external consultant for your IT and cybersecurity needs, you should assign a member of your management team the role of CIO to oversee the program and maintain awareness among internal employees.
Elevate the conversation
Encourage your team to speak up when they spot suspicious activity and, if possible, get everyone in one room to talk about the situation—not just the owners or top-level partners. Chances are, someone else may have noticed a similar issue or have some key insight. By working together, you can connect the dots and head off problems from the start.
You don’t have to wait for suspicious incidents to occur to start a discussion about cybersecurity. In addition to uncovering issues, bringing your team together on a regular basis to refresh your cybersecurity policies is a great way to foster a culture of awareness. During these meetings, you should:
• Make sure staff members aren’t sharing or using common passwords
• Check that all cell phones, computers, and other devices used to access client information are encrypted
• Remind advisors not to send investment information through unsecured email
• Encourage advisors to communicate more regularly with clients so they can be more aware when unusual activity occurs
Examine your vendors
Do third-party vendors have access to your clients’ data or other critical information about your RIA firm? If so, it’s time to do some digging to ensure they’re handling that information with care. Remember that this is your business, and these are your customers and your vendor.
When working with vendors, you should:
• Read your service agreement or contract to see if data handling is addressed
• Find out where your data is stored and how they dispose of this information once your agreement is terminated
• Find out whether or not they have an incident response plan in place
Whenever possible, use best-of-breed providers and be wary of free products, like email services and anti-virus protection. Often, the ability to offer services at no cost can come at the expense of proper security.
Educate your staff and clients
With so many threats to navigate, it’s crucial to keep both your team and clients aware of the most up to date best practices to guard against breaches. This is where a formal CIO plays a critical role. This person can search for webinars and other resources that stress the importance of data safety. They can also schedule mandatory meetings to go over this information with your staff. When possible, your CIO can pass client-friendly resources and threat trends to your clients via email. Doing so will not only keep them informed but also illustrate your firm’s commitment to managing risk and keeping information secure.
Build an incident response plan
Even if you have every safeguard in place, the fact that the threat landscape is constantly evolving means there’s still potential for your firm to be breached. As a result, you should always have a strategy in place to respond to threats and protect against loss. To start, be sure your data is backed up regularly so that you have access to crucial information in the event of a breach. Then, decide how you want to inform clients and who will contact vendors; also determine what other tasks are critical to managing a breach successfully.
By implementing these tools and practices throughout your RIA firm, you can begin to build a strong defense against cyberthreats and breaches. You may never be 100% protected from a breach, but at a minimum, you can protect yourself against SEC action by following its guidelines and doing what you can to go beyond to protect your clients’ data.
For more help protecting against cyberthreats and managing risk, be sure to explore Affinity Services from TD Ameritrade Institutional.
1. Ponemon Institute. 2014 Cost of Cyber Crime Study: United States. October 2014. http://resources.idgenterprise.com/original/AST-0130677_2014_US_Cost_of_Cyber_Crime_Study_FINAL_2.pdf
Access to Affinity Services Program vendors is provided solely as a service to independent advisors using the brokerage, execution and custody services of TD Ameritrade Institutional. These services are offered at a discount directly through the participating vendors. Participating vendors are independent and are not employees or agents of TD Ameritrade. TD Ameritrade does not guarantee nor is it responsible for the quality or accuracy of any vendor’s product or service. In no instance should the listing of a vendor be construed as a recommendation or endorsement by TD Ameritrade. Furthermore, TD Ameritrade does not recommend or endorse any security described by any vendor.