This is the first part in a series of articles on how fiduciary practices leverage the training and experience of CEFEX Analysts.
A recent report from ZeroFOX, titled “Financial Services Digital Threat Report 2019,” found a 56% year-over-year increase in digital threats targeting the financial space.
In its research, ZeroFox “scanned 2.9 billion pieces of content and found more than 8.9 million security events in a 12-month period.”
As we turn more and more to cloud-based software services, social media, and the use of mobile appliances to communicate amongst our colleagues, vendors and manage our clients’ data, we offer more opportunities for bad actors to access our client information.
Unfortunately, as one of my MIT professors said, achieving complete cybersecurity is a “negative goal” meaning that such confidence is unattainable; suffering a security breach is not “if” but “when.”
This article (one of two) will look at the importance of following a prudent process from management’s point of view. The second article will focus on the technical aspects of managing cyber risk.
The standard used by CEFEX Analysts includes the practice: “Sensitive, personal identifying information and assets of clients are prudently protected from theft, embezzlement and business disruption risks”.
Following a prudent process may not prevent a security breach, but it can significantly reduce the chances and costs when one happens.
The RIA’s goal, particularly if the firm holds personally identifiable information (PII), is to maintain the security, availability, and integrity of the data.
Best practices
Some of the best practices we have seen RIAs take are:
- Identify a member of the management committee to be the liaison between the chief information security officer and the committee. That person is supported with online and in-person educational opportunities.
- Educate employees on an ongoing basis about cybersecurity hygiene to include watching out for emails that may seem legitimate.
- Keep systems up to date with the latest versions of all the software used in the firm.
- Use strong passwords of at least eight characters that include letters, symbols, and numbers.
- Require the use of multi-factor authentication for client, staff, and vendors when accessing secure areas of the firm’s website. The most common form is called “two-factor access” or “2FA”. Each time someone tries to access their information, they must use a one-time code generated just for them.
- Encrypt all data locally, in the cloud, and in transit. Many providers offer encryption; however, the vendor requires access to your keys in order to manage the encryption on their end. Providing an additional encryption overlay where the RIA controls both encryption keys, can greatly reduce exposure. This is called end-to-end encryption.
- Use Virtual Private Networks (VPNs) when clients, employees, and vendors access client information while on the road or at home. VPNs provide an encrypted “tunnel” between the user and your company’s server.
- Share your commitment to security with clients. Clients can sleep at night knowing that their RIA has done its best to maintain the integrity of their personal information.
These suggestions are but a few of the ways by which an RIA can mitigate the risk of a cyber breach; however, perhaps the most important point of proactively managing your cyber risk is to maintain the trust of your clients.
As Blaine F. Aikin, Executive Chairman of Fi360 and CEFEX, discussed in a recent whitepaper, trust is the keystone for any RIA’s success.
CEFEX, Centre for Fiduciary Excellence, LLC, an Fi360® company, is an independent certification organization. CEFEX works closely with industry experts to provide comprehensive assessment programs to improve the fiduciary practices of investment stewards, advisors, recordkeepers, administrators and managers.
This article series is based on the experience of hundreds of assessments conducted since 2006. Connect to CEFEX at www.cefex.org or via Twitter or LinkedIn.
Bob Patterson has an established agreements with CEFEX to conduct fiduciary assessments. CEFEX Analysts are Accredited Investment Fiduciary Analysts (AIFA®). Analysts qualified by CEFEX to perform ASPPA Recordkeeper Certification assessments must carry the AIFA® designation and at least one of the following ASPPA designations: Qualified 401(k) Administrator (QKA), Qualified Pension Consultant (QPA), Certified Pension Consultant (CPC) or Fellow, Society of Pension Actuaries (FSPA).