This post is going to take a slightly different tone than all my previous blog posts given the seriousness of the matter and besides, it’s cybersecurity awareness month. As many of you have probably read, the SEC recently fined a St. Louis based investment firm $75,000 for failing to implement a firewall, encrypt its client data, and for not establishing any procedures to respond to a cybersecurity incident, a clear violation of the commission’s Safeguards Rule adopted in 2000 under the Securities Act of 1933. In case you are thinking to yourself, I can handle $75,000 in fines. Please note that the fine of $75K is just the beginning of what is to come to this firm in the ensuing months and years. Reputation damage, loss of clients, law-suits…. need I say more.
So, here is what happened:
R.T. Jones, an investment firm that handles approximately 8,400 client accounts and about $480 million in assets, established agreements with a retirement plan administrator and various retirement plan sponsors using a managed account called Artesys. When potential investors elect to enroll in the Artesys program, they are asked to enter personally identifying information (PII) into this website, along with their investment objectives, and are then matched with a particular portfolio from among those offered by one of the retirement plan sponsors with which R.T. Jones partners. In order to verify that a prospective client is eligible to enroll in the Artesys program, their personal information is compared against the personal information of thousands of eligible participants provided by the retirement plan sponsor partners, which was stored on R.T. Jones’s third-party hosted web server. Thus, even though R.T. Jones had substantially fewer than 100,000 clients at the time of the breach, its web server contained the data of more than 100,000 individuals. Now, from 2009 until its system was hacked in 2013, the investment firm failed to implement a firewall or encrypt any of the data contained in this third party server.
Here are 3 reasons why this is so important for financial firms (or any firm that is handling PII) right now.
There is a 300% increase in number of attacks this year against financial services firms, according to Websense Raytheon.
Clients are increasingly getting concerned about identity fraud and monetary losses due to negligence on the part of financial advisory firms.
So, what can you do to stay on top of your game.
1. Document your cybersecurity policy and procedures.
Adopt written cybersecurity policies and procedures. And, don’t forget to revise the policy periodically. Work with experienced compliance firms, or your compliance attorney to draft up a written cybersecurity policy. Make sure your cybersecurity policy accurately depicts the workflow of your firm. I can’t say how many times I have seen firms talk about having a cybersecurity policy but these same firms have never actually reconciled their written policy to their existing work flow. Not a great place to be! And, please make sure you have an incident response strategy section in your policy (more on this topic in point #3).
2. Enforcement strategy.
This is where you need to have a strategy to enforce your cyber security policy. It’s great to have a nice cybersecurity policy, train your staff and hope for the best. But, under the current environment of heightened cyber threat and regulatory oversight, it pays to be super pro-active about enforcement. “95% of cyber attacks are due to human error on the part of employees and contractors,” according to IBM. Designate at least one individual within your firm to periodically check-in with your staff to ensure that all policies and procedures are being met. This can take the form of spot audits, or just get your employees to send out a status report periodically. The famous quote, “Trust, but verify” is the best policy here.
3. Breach planning and incident response strategy.
So, you have drawn up a cybersecurity policy. You spent months working on this and reconciling it to actual implementation. You have even delegated a set of tasks to ensure that the policy is being enforced on all your employees and firm’s IT assets. Are you done? No. In fact, you are not even close. You need to spend time to figure out what your protocol is going to be in case of a cyber attack. Do you bring in an experienced cybersecurity firm to be the first responders on the scene? What happens if an employee suspects a breach? Who does the employee call or escalate the matter to? Do you have written record of all incidents in the past? How did you resolve them? How did you handle client communication? Did you report the breach to the proper authorities? “Over 81% of firms have experienced some sort of a data breach and don’t know it”, according to McKinsey.
4. Annual Vulnerability and Penetration tests.
The OCIE, a division of the SEC clearly stated in its September 15th, 2015 guidance that all financial firms should do a vulnerability assessment and penetration test, atleast once a year. So, what does this entail? At the very least, hiring a third party firm to evaluate your cybersecurity policy and implementation to discover any potential security holes. Better yet, a targeted penetration test, commonly referred to as a black box test. It is advised to not use your existing IT firm to perform these tests. Why? Well, for the simple reason that this would be like getting the fox to guard the henhouse.
5. Security awareness training for staff and vendors.
Make sure you set aside some time at least once a quarter to review the security policy and procedures with your entire staff. I am sure most employees will have lots of questions and this will give the management team a chance to understand the concerns and hopefully address them. Accountability is critical in these matters and certainly having periodic meetings with employee’s forces the issue.