Financial Professional Cybersecurity Part One
By Harry J. Lew
For financial professionals, 2017 may go down in history as the year they got serious about cybersecurity. After a series of major hacks hit the news (Equifax, WannaCry Ransomware), the number of total data breaches exploded (reaching 1,293 incidents). Regulators began applying more pressure, and agents and advisors began accepting the need to get more involved in cybersecurity. The question now is: “How.”
Fortunately, the best practices needed to counter these risks are well documented. Financial professionals just need to educate themselves and then act decisively. Where to begin? View cybersecurity as an integral management challenge—i.e., having the same priority as, say, your sales, marketing, human resources, or IT functions—and then either taking responsibility for it personally or assigning it to an employee or vendor.
Experts suggest your first step should be developing a risk-management plan. This typically involves breaking the cybersecurity function into specifics roles and responsibilities, conducting a detailed risk assessment, and then creating and maintaining a plan for keeping your firm and clients safe. The good news? Several planning frameworks can jump start your efforts. An excellent starting point is Small Business Information Security: The Fundamentals, which was developed by the National Institute of Standards and Technology (NIST), a unit of the U.S., Department of Commerce.
The document starts by defining in layperson’s terms the nature of risk and laying down its four underlying elements:
- Threats (environmental, business resources, hackers, criminals)
- Vulnerabilities (weaknesses in security protections)
- Likelihood of threats hurting business (historical trends, loss statistics, capability, and intent of criminal actors)
- Impact on business (harm arising from theft or disclosure of sensitive business information, from business information or systems being modified, or from loss of access to business data or IT systems)
Working your way down this list will determine the risks your cybersecurity plan should take into account. Once you have a sense of those, your next step is to begin managing them. NIST suggests a five-phase effort, including . . .
- Identifying: entails identifying and controlling who has access to your business information, conducting background checks, requiring individual user accounts for all employees, and creating information security policies and procedures.
- Protecting: involves limiting employee access to data and information, patching your operating systems and applications, installing hardware and software firewalls, using encryption, and several other key steps.
- Detecting: consists of installing and updating anti-virus, anti-spyware, and other program to prevent malicious activities, as well as maintaining and monitoring activity logs.
- Responding: includes developing and implementing an incident-response plan should a natural or human-orchestrated security event occurs.
- Recovering: entails making full back ups of important business data and information, periodically making incremental data updates, considering buying cyber insurance, and enhancing business processes and technologies as needed.
Finally, the NIST document suggests you adopt safe computing practices in order to lower the chance of future data breaches. These are things like paying attention to the people you work with and around, avoiding suspicious email attachments and URLs, and not commingling business and personal hardware and accounts, among many others.
Since the above discussion is just a high-level summary of the NIST framework, it’s highly recommended you download and study the full document. However, if the NIST process seems too complicated, the North American Security Administrators Association has created a simplified version in its Cybersecurity Checklist for Investment Advisors. Although NASAA prepared its checklist for investment advisors, it’s broadly applicable to insurance agents, securities brokers, and real-estate agents and broker-owners, as well.
In addition, the Financial Industry Regulatory Authority (FINRA) has developed its own Checklist for a Small Firm’s Cybersecurity Program, which you can download here. Meanwhile, the Securities and Exchange Commission (SEC) has a list of robust policies and procedures that state and federally supervised investment advisors can adapt to their own firms. These include:
- Maintaining an inventory of data, information, and vendors.
- Creating detailed cybersecurity-related instructions for things like penetration testing, security monitoring and system auditing, access rights, and reporting.
- Maintaining prescriptive schedules and processes for testing data integrity and vulnerabilities.
- Establishing and enforcing controls for system and data access.
- Providing mandatory employee training.
- Keeping senior management involved in cybersecurity management.
By reviewing and “stealing” from these various protocols, you will be in good shape for devising your risk-management plan. Once you’ve created that, you’ll be ready to move from cybersecurity planning to best-practice execution, which will discuss in Part II of this series.
- IT Security Central