CEFEX Perspectives
This is the second part in a series of articles on how fiduciary practices leverage the training and experience of CEFEX Analysts.
In its most recent analysis, Europol (European Police Agency) warns that Cybercriminals are using new technology and exploiting existing online vulnerabilities to concentrate on “more profitable targets and greater economic damage,” the report warned[1]. More than likely, those profitable targets will include RIAs. Why? Because RIAs offer a “gateway” into the finances of millions in client assets.
In Part 1 of this series, we summarized general issues that RIAs, as fiduciaries, need to consider in managing their firm’s cyber risk. These included designating a point person to coordinate the firm’s efforts, educating staff and, when appropriate, clients on how to manage their access. For staff, it is especially important to use caution when opening emails from unfamiliar resources and embedded links. Staff should use virtual private networks to communicate with the company servers while on the road.
In this article, we will introduce a more formal approach to RIA cybersecurity.
Keep in mind that our primary objective for the management of cyber risk is to:
- Protect the confidentiality of data
- Preserve the integrity of data
- Promote the availability of data for authorized use
In the past, the task of identifying cyber risk of any size organization fell mostly to the Chief Information Security Officer (CISO) and focused on utilizing the “governance, risk, and compliance” (GRC) model. The updated model, “integrated risk management” (IRM), goes beyond technology to include people and process.
The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. NIST supports the GRC model as outlined in its Cybersecurity Framework, which is divided into five categories, each consisting of sub-categories and references. The five categories are:
- Identify: What assets are at risk? What is the evolving business environment? What governance process should we as fiduciaries follow? What are our organizational and individual (employees, vendors, etc.) risks?
- Protect: Who/how/why is access controlled? Is it through awareness and training (employees, partners, clients)? Physical and data security? Maintenance of equipment?
- Detect: How do we identify intrusions and other anomalies? What processes do we use to continuously monitor our exposure?
- Respond: What is our planned response in case of a breach? What have we learned to mitigate the risk in the future? How do we communicate to the press, our clients?
- Recover: What means do we have to restore the assets and information in a timely manner? What improvements do we need to make to put in place?
The NIST approach to cybersecurity works whether you have a single office or multiple locations. It can be as detailed as you might want. Below is a sample of the questions, based on NIST, which CEFEX uses in fiduciary assessments.
In the final analysis, however, protecting a firm’s information is as much a function of “how” it is designed and implemented, not just what hardware and software is used. Achieving success means setting out a framework that works for you. As with the Global Fiduciary Standard of Excellence used in CEFEX assessments, demonstrating that the firm follows a prudent process in managing its cyber risk can go a long way to minimizing the firm’s liability and reduced costs.
About CEFEX
CEFEX, Centre for Fiduciary Excellence, LLC, an Fi360® company, is an independent certification organization. CEFEX works closely with industry experts to provide comprehensive assessment programs to improve the fiduciary practices of investment stewards, advisors, recordkeepers, administrators and managers.
This article series is based on the experience from hundreds of assessments conducted since 2006. Connect to CEFEX at www.cefex.org or via Twitter or LinkedIn.
Bob Patterson has an established agreements with CEFEX to conduct fiduciary assessments. CEFEX Analysts are Accredited Investment Fiduciary Analysts (AIFA®). Analysts qualified by CEFEX to perform ASPPA Recordkeeper Certification assessments must carry the AIFA® designation and at least one of the following ASPPA designations: Qualified 401(k) Administrator (QKA), Qualified Pension Consultant (QPA), Certified Pension Consultant (CPC) or Fellow, Society of Pension Actuaries (FSPA).