Effective Cybersecurity Policies

On April 28th, the SEC issued a Cybersecurity Guidance Update for the purpose of highlighting the importance the Commission is placing on getting advisors to do all they can to protect client information. The Guidance Update did not cover any new initiatives but appears to express the Commission’s belief that almost all advisors are falling short on protecting against cyberattacks.

The Guidance Update recommends creating a strategy to prevent, detect and respond to cybersecurity threats. That strategy should be implemented through policies, procedures and training that provide guidance to officers and employees with best practices and knowledge to limit cybersecurity vulnerabilities and respond appropriately when an attack is detected.

Development and implementation of cybersecurity policies has to start with one overriding policy that: 1) addresses the importance of safeguarding client information, 2) defines the approach taken to manage information security and 3) states top management’s commitment to information security. There will then be multiple policies that address passwords, emails, mobile devices etc. For a cybersecurity policy to be effective it has to:

  • Include parameters that define the technology, software, activities addressed
  • Have processes for maintaining up to date cybersecurity defenses
  • Involve training employees about computer safety and cybersecurity procedures
  • Provides for rewards adherence to policies and procedures and reprimands for violators
  • Recognizes success in a meaningful way the firm’s efforts in defending against cyberattacks

Top management’s buy-in is essential to the success of a cybersecurity policy. Implementing cybersecurity procedures is implementing behavioral change and this is where most firms fall short. The only way an entire firm adopts better computer security habits is if top management preaches the message that protection of client information is the responsibility of every employee and then backs that up with rewards, punishment and recognition.

Cybercrime is constantly evolving and adapting so cybersecurity policies need to evolve and adapt as well. Procedures need to be constantly updated to reflect those new threats as well as take into consideration new technologies and software that the firm adopts. For that reason, it is important that a chief information security officer or team be established that is responsible for staying up to date on the cybersecurity situation. The officer or team will also be responsible for ensuring that the entire firm stays informed of the latest threats and adopts procedures for countering those threats.

The threat is real and the damage from an attack can be substantial. It is estimated that 1/3 of cyberattacks are on firms with fewer than 250 employees. Unlike individuals, small firms have data and assets worthy of a hacker’s time and effort but they lack the resources and defenses of large firms. The SEC’s survey of industry cybersecurity efforts found that over 25% of advisors and broker-dealers had been victim of fraudulent emails that resulted in losses between $5,000 and $75,000. By comparison, the FBI estimates that the typical successful bank robbery nets $8,000. Compared to a bank robbery, the risk to a cybercriminal is negligible compared to the reward so one can only expect the attacks to increase in number and complexity.

The bottomline is that the SEC and FINRAwant the financial advisory community to see cybersecurity as more than an exercise in meeting compliance requirements. Financial advisors have to begin viewing cybersecurity as an essential risk-management practice.A savvy advisor may also be able to turn this into a marketing advantage by informing clients of their cybersecurity procedures. In this age of sensational and well-publicized cyberattacks, clients would likely welcome and appreciate knowing that their advisor is doing everything possible to keep their personal data safe.