Cybersecurity is the most important issue facing the advisory industry and should be a top concern for regulators, according to most registered investment advisors polled recently by TD Ameritrade Institutional, and technology remains the top management challenge for them.
To break down what advisors and their financial firms need to do to better protect themselves from cyber risk, Think Advisor spoke at length with Sid Yenamandra.
The co-founder and CEO of tech security firm Entreda is well-versed in the potential causes of a major cybersecurity-related disruption. Earlier, he spoke with us about the overall threat posed to the financial industry by cyber attacks and why the cyber insurance field is like the Wild Wild West in earlier interviews.
ThinkAdvisor: How can financial service firms determine the risks they face, and what should they do with that information?
Yenamandra: The SEC and FINRA and many of the state boards clearly say that cyber security is a key operational risk item that firms have to watch out for.
The way to identify operational risk essentially is to start with a comprehensive risk analysis of the organization, and that entails looking at everything — not just at your endpoints or your users — it’s looking at physical security.
There’s a number of governance frameworks that most organizations use as best practices.
For example, the National Institute of Standards and Technology has the 800-53 framework, which is commonly used by many organizations to assess risk. Another one could be an ISO 27001 framework or the General Data Protection Regulation framework.
Once you do the risk analysis, then you have to prioritize the risks — because you might find about 500 different things that you want to go ahead and fix, but you may not have the time or the resources to address every one of those items.
Most organizations would be best served to quantify these risks based on either business priorities or, from a prioritization standpoint, [looking at] how the risks that impact their business. Prioritize the top three [or] top five and then start to work on mitigation strategies one by one.
When we do a comprehensive [review], we [take] five different steps: identify, detect, protect, respond and recover.
We then assess the risks that an organization has relative to those five steps. Once we find the gaps, we list the top five or so risks. Then we risk score and … work on risk-mitigation strategies for each one.
For instance, if we find there’s a wide network of devices because a firm is issuing mobile devices, and [employees] are accessing mobile devices, those devices need to be secured. Therefore, we put some risk-mitigation strategies in place just to secure the mobile applications.
[If a firm has] a bunch of vendors, [we] make sure the vendors are not putting the organization at risk. An organization has to take stock of all its vendors, send questionnaires and do a “trust but verify” on all them.
There are all sort of risk-mitigation frameworks. The best tip is there isn’t enough time for most organizations, big or small, to be able to do all this in-house.
You can do some things in-house, but it’s best to get a fresh pair of eyes to look at what the operational risks are to an organization from an outside-in perspective, preferably a firm that has a lot of expertise doing this — have that firm basically document the process. It’s good from a fiduciary standpoint, as well as [for] checks and balances.
TA: What particular risks do should smaller firms, like RIAs who are solo practitioners, face?
Yenamandra: We get asked that all the time from our clients. They say, “You know I’m a small financial advisory firm. I’ve got three people maybe a couple of staff members five people in total, why would someone attack me? What do I have that is so valuable?”
Those kind of size questions certainly are valid, but are absolutely untrue.
A hacker is not looking at the size of the firm. Independent of the size of your firm, you could be part of a larger network, and so getting into your environment could allow a hacker to basically get into a larger group.
You could be a small piece of a much larger puzzle, and you wouldn’t know that you were being attacked.
Look at the [Society for Worldwide Interbank Financial Telecommunication or] Swift bank scenario [in which a small central bank was hacked]. The [cyber criminals] didn’t attack the primary source. They attacked the fringes.
We think that the weakest link is the extended perimeter in most organizations. In that regard, no one is immune. Everyone’s at risk.
I definitely think that the smaller organizations are the lower hanging fruit, because they have less resources, less time and probably have spent the least when it comes to any sort of rigor around cyber. That’s one line of logic.
The other line of logic is what we’ve actually seen, and when you talk about a script kiddie or someone trying to hack for fun, they’re not going to try to hack the FBI first. They’re going to try their luck on a smaller organization and see how far they can go.
In my opinion, smaller firms present a greater risk when it comes to cyber as they have the most lax security protocols.
TA: What are the best steps for smaller firms to take?
Yenamandra: Small- to medium sized firms should consider, if resources permit, hiring a cybersecurity team.
A lot of smaller firms have an outsourced IT person who comes in and does a variety of things. But many of those IT folks are generalists, they’re not experts when it comes to cybersecurity and risk- mitigation strategies.
It’s always a good idea to have a team that consists of IT folks and a cybersecurity incident-response team, and there are many in the financial advisory world. You can ask your custodial platforms or broker-dealer for a list.
At the basic level, firms have to make it a priority as part of their risk-mitigation plan.
Any organization really hs three goals: Grow the top line, manage the bottom line, and third — equally important because it touches upon the first two goals — manage risk.
When it comes to managing risk, cyber is a key component of that risk equation. Firms have to invest time and set aside resources on an annual basis.
Certainly regulation in this industry will force you to do that anyway. Just do the best you can; there are no absolutes in this business. Try to make it a little harder for a hacker … to get into your environment.
It starts with the basics. Make sure that you identify all the devices that you’re using to connect to the Internet — mobile devices, laptops and vendors.
Make sure your devices are secure. And be sure you train your staff, because humans are the weakest link. It’s human error that causes most of the errors and vulnerabilities that attackers take advantage of, so try to plug those holes.
Also, service-level agreements are very important. When we serve large enterprise clients, they ask us, “Have you had any temporary interruption in your service? If I’m paying you X amount of dollars on a monthly basis for your services, am I guaranteed a 99.99% uptime for that service?”
If you’ve been a victim of an attack that drops the uptime from 99.99% to 90%, that’s huge — because it’s untenable for some clients. They’ll say, “No, I can’t rely on you for that for 90% uptime. We need to be at 99.99%.”
The point is denial-of-service attacks could cause a major impact [in revenue disruptions].