Identifies your risks, prevent security breaches, and make a response plan just in case.
Both FINRA and the SEC have indicated that they expect advisors to have a written policy to address information security, particularly cybersecurity. Follow these three steps to create a policy that identifies your risks, prevents security breaches, and creates a response plan in case something does happen.
1. Conduct a Security Audit
The logical first step is to conduct an audit of your current security practices and identify the security risks that exist. Start with your front door. Are your offices locked securely when closed? Identify everyone who has keys--including landlords, cleaning crew, employees, and IT consultants. Do you change locks when employees leave the firm? Could someone enter by just breaking a window? Do employees lock up all client data when not in use?
Next, inventory all hardware. Are all servers encrypted and kept locked securely? Do all your computers have up-to-date virus and malware protection? Are you using an encryption program on all desktops and laptops? Are your modems, routers, and switches secure, and do they have up-to-date firmware installed?
Review all allowed access to your client data stored internally and externally. Determine who has access to what data. Do they need that access? Identify all web-based vendors where your client data exists, such as custodians, financial-planning sites, cloud-based portfolio management, or CRM systems. What are their cybersecurity precautions? Do they allow for a two-step authentication process, such as a randomly generated code from a key fob or sent by text to a cell phone? Do they require routine password resets or have personal security questions as a second layer of protection? Is login information blocked immediately when an employee leaves? Do you have a written data-destruction policy for both paper files and electronic media?
If you allow employees to access work email on their smartphones, laptops, or tablets, are they password protected? Can they be remotely wiped if lost or stolen? Do you allow employees to access data when working remotely? Do you require an encrypted connection such as VPN? Do you require employees to use a password manager program to securely sync passwords across all their devices? Do you have a strict password protocol or require randomly generated passwords?
How are client documents protected? Are you using a secure filesharing service or an encrypted client portal, or do you allow documents to be sent by email without encryption? Do you hold regular employee training on cyber risks and responsibilities, especially regarding mobile devices and removable media? If employees have account applications or other client documents with them out of the office, what efforts must they make to keep them secure?
Do clients have online access to their accounts? Can they effect trades or other money movement online? How do your employees verify clients' identities when money movement requests are received via email? By phone? Have there been any incidents of security breach in the past?