Addressing cybersecurity – are you making progress?
Posted by Richard J. Lynch, AIFA®, President, fi360, Inc. on September 16, 2015
fi360’s most recent update to their Fiduciary Practices was completed in 2013. That update introduced a new criterion related to safeguarding client and plan data. To address this new criterion, CEFEX, the Centre for Fiduciary Excellence introduced the following question to its assessment/auditing procedures for advisors; similar questions are asked in record-keeper assessments as well.
What measures are taken to secure client information?
- Does the Advisor physically hold and store any Personally Identifiable Information (PII)?
- Does the Advisor hold and store PII in electronic formats?
- Does the Advisor have guidelines for accessing electronic applications?
- Does the Advisor have a policy regarding the storage, transmission and disposal of participant or plan data?
- Is PII encrypted at the server level?
- Is PII encrypted when sent by email?
- Have background checks been completed on staff that have access to client, participant or plan data?
- Does the Advisor have a document retention policy?
- Does the Advisor have a process for backing up client, participant or plan data?
- Does the Advisor’s facility have security controls in place, e.g., camera, keyless entry, etc.?
- Does the Advisor have an information security process for employment terminations?
- Does the Advisor have a procedure for handling security breaches?
What CEFEX has found thus far is that while most firms are addressing cybersecurity issues to some degree, there is work yet to be done. Most common opportunities for improvement are 1) encryption of data on the server (this level of protection is a best practice that goes beyond external measures such as firewalls, penetration testing, and password requirements) and 2) written procedures for handling security breaches.
In the Ponemon Institute’s “2015 Cost of Data Breach Study: United States” the average recovery cost for a data breach tops $6 million. Clearly, lack of security can significantly impact profitability, and most now agree that a data breach is not a matter of if but when. It’s interesting to see then that firms are slow in getting security breach procedures in place.
In February 2015 the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a report on their cybersecurity examination sweep of 57 registered broker-dealers (B/Ds) and 49 registered investment advisers (RIAs). The purpose was to identify the firms practices related to:
- identifying risks related to cybersecurity;
- establishing cyber security governance;
- protecting firm networks and information;
- identifying and addressing risks associated with:
- remote access to client information and funds transfer requests, and
- vendors and other 3rd parties; and
- detecting unauthorized activity.
The SEC findings included:
- Most firms have adopted written information security policies.
- Most conduct periodic risk assessments.
- Most have been the subject of a cyber-related incident; 88% of B/Ds and 74% of RIAs. (Note: In the Ponemon Institute’s “Second Annual Study on Data Breach Preparedness," 43% of businesses experienced a data breach in the past year.
- Most B/Ds and some RIAs incorporate cyber security requirements into vendor contracts.
- Almost all firms make use of some form of encryption.
CEFEX will continue to assess cybersecurity during initial and renewal assessments (firms must pass renewal assessments each year in order to maintain their certification) and “Opportunities for Improvement (OFIs)” can become “Non-Conformances (NCRs)”, which would result in the decertification of a firm.
The SEC will continue to focus on cyber security using risk-based examinations, and we expect that the bar will continue to be raised.
How well does your firm measure up?