Technical Best Practices for Managing Cyber Risk: CEFEX

401k, cyber crime, security, CEFEX

Stopping the bad guys.

CEFEX Perspectives

This is the second part in a series of articles on how fiduciary practices leverage the training and experience of CEFEX Analysts.

Article Presented By:

In its most recent analysis, Europol (European Police Agency) warns that Cybercriminals are using new technology and exploiting existing online vulnerabilities to concentrate on “more profitable targets and greater economic damage,” the report warned[1]. More than likely, those profitable targets will include RIAs. Why? Because RIAs offer a “gateway” into the finances of millions in client assets.

In Part 1 of this series, we summarized general issues that RIAs, as fiduciaries, need to consider in managing their firm’s cyber risk. These included designating a point person to coordinate the firm’s efforts, educating staff and, when appropriate, clients on how to manage their access. For staff, it is especially important to use caution when opening emails from unfamiliar resources and embedded links. Staff should use virtual private networks to communicate with the company servers while on the road.

In this article, we will introduce a more formal approach to RIA cybersecurity.

Keep in mind that our primary objective for the management of cyber risk is to:

In the past, the task of identifying cyber risk of any size organization fell mostly to the Chief Information Security Officer (CISO) and focused on utilizing the “governance, risk, and compliance” (GRC) model. The updated model, “integrated risk management” (IRM), goes beyond technology to include people and process.

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. NIST supports the GRC model as outlined in its Cybersecurity Framework, which is divided into five categories, each consisting of sub-categories and references. The five categories are:

The NIST approach to cybersecurity works whether you have a single office or multiple locations. It can be as detailed as you might want. Below is a sample of the questions, based on NIST, which CEFEX uses in fiduciary assessments.

In the final analysis, however, protecting a firm’s information is as much a function of “how” it is designed and implemented, not just what hardware and software is used. Achieving success means setting out a framework that works for you. As with the  Global Fiduciary Standard of Excellence used in CEFEX assessments, demonstrating that the firm follows a prudent process in managing its cyber risk can go a long way to minimizing the firm’s liability and reduced costs.

About CEFEX

CEFEX, Centre for Fiduciary Excellence, LLC, an Fi360® company, is an independent certification organization. CEFEX works closely with industry experts to provide comprehensive assessment programs to improve the fiduciary practices of investment stewards, advisors, recordkeepers, administrators and managers.

This article series is based on the experience from hundreds of assessments conducted since 2006. Connect to CEFEX at www.cefex.org or via Twitter or LinkedIn.

[1] http://bit.ly/2OAJfwm

Exit mobile version