Clearing Up Cybersecurity Confusion
What's required, what's best practice, and what the risks are for advisors.
Most advisors understand that cybersecurity and protecting client data are of paramount importance, yet significant confusion remains as to what specific cybersecurity rules (if any) apply to investment advisors. Additionally, and with the ever-evolving nature of the cybersecurity challenge, many advisors assume that protecting client data and staying compliant require outsourcing these tasks entirely, purchasing expensive tools, or both. While outsourcing and quality cybersecurity tools can certainly be of benefit, advisors would be best served to understand what's required, what's best practice, and what their risks are before tackling the cybersecurity process and compliance.
What Cybersecurity Regulations Apply to Registered Investment Advisors?
Investment advisors must follow the requirements of their specific regulatory body, and for Registered Investment Advisors, this means looking to either the SEC or their state securities division. Yet those searching for a cut-and-dried list of cybersecurity rules and requirements from their regulators are likely to be disappointed. Specifically, the SEC will direct you to Regulation S-P, which requires registered broker/dealers, investment companies, and investment advisors to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Considered alone, this is an extremely vague requirement.
Cybersecurity is a constantly evolving issue that the SEC itself has struggled with internally, but that doesn't mean it has been silent on the issue or isn't holding advisors accountable. In recent years, the SEC has issued additional guidance on what it's looking for when it comes to cybersecurity and data protection, most of which can be found at its cybersecurity website. (State regulators are likely to reference the SEC's guidelines unless they have their own policies, and the Financial Industry Regulatory Authority has published many of its own resources on cybersecurity best practices. While there is no definitive manual on how to remain compliant by SEC standards, the documents published provide advisors with an adequate framework for creating a comprehensive cybersecurity program and preventing unauthorized access to sensitive client data.
Do Advisors Need to Be HIPAA Compliant?
In a word, no. Unless your firm is collecting protected health information from clients and simultaneously operating within the healthcare space, the Health Insurance Portability and Accountability Act does not apply to RIAs. Similarly, advisors aren't likely to be subject to Sarbanes-Oxley Act compliance unless their firm is a publicly traded company. While this may seem self-evident, it's actually a significant point of confusion within the advisor community, as many assume they are subject to multiple cybersecurity and data protection protocols at the federal level. Notably, there is some overlap between SEC guidance and other data/privacy protection laws such as HIPAA, as many provisions are simply fundamental to a quality cybersecurity program. Having a third-party vendor or tool that is, or has the ability to be configured as, HIPAA compliant likely isn't a bad thing, though this should not be a deciding factor in evaluating advisor software solutions.
What Should Advisors Do to Satisfy Regulators' Cybersecurity Requirements?
The SEC has published several documents in recent years that can be found on its cybersecurity web page to provide advisors with a framework for creating a comprehensive cybersecurity program and help them understand what the SEC is looking for in this regard. Perhaps the most useful of these documents is its 2014 Risk Alert that actually includes a sample examination checklist, which details specifically what a regulator is likely to ask for in the event of an audit. Not surprisingly, the SEC's sample examination checklist is structured around the five key areas of the National Institute of Standards and Technology's (NIST) cybersecurity framework.
In essence, regulators are likely to want to see written policies and procedures to 1) identify risks, 2) protect data, 3) detect unauthorized activity, 4) respond to cybersecurity events, and 5) recover from a breach. This checklist (like any audit checklist) can seem overwhelming, but for those with already strong data protection policies and tools in place, regulators are primarily looking to ensure advisors have actually written their processes down and that they're actually following those processes. Advisors starting from scratch are going to want to begin with the basics (see 5 Cybersecurity Best Practices), then build out their processes and procedures to address each item of the SEC's sample checklist. Regardless of the current state of an advisor's cybersecurity program or preparedness, the evolving nature of cybersecurity requires all advisors to continuously improve their processes, procedures, and tools. (In addition to regulator guidance, look to NIST for the latest updates.)
Can Advisors Do This Themselves?
Yes. While creating an actual cybersecurity program yourself can require a significant up-front time investment, regular reviews and ongoing training can be standardized without them being too much of a burden. Pat Cleary of asset-management firm Alpha Architect has an excellent and highly detailed guide on how to set up and manage a comprehensive cybersecurity program that addresses regulator guidelines. Further, much of the data protection heavy-lifting can likely be handled by tools that advisors are already using, and advisors don't need to fully understand the mechanics of something like the 256-bit Advanced Encryption Standard or a virtual private network (VPN) in order to take advantage of these safeguards. (For example, many trusted third-party cloud storage solutions, such as Microsoft OneDrive, Google Drive, Dropbox, and so on, encrypt data both at rest and in transit.)
Will Following Regulators' Guidance on Cybersecurity Result in Immunity From Cyberattacks?
Absolutely not. Human beings are the weakest link in any cybersecurity program, and it doesn't matter how secure your "castle" is if you, one of your coworkers, or a vendor accidentally leaves the door open by clicking on a malicious link or using a thumb drive. Another common misconception among advisors and other small business owners is that their greatest threats are highly sophisticated hackers using state-of-the-art technology to crack your passwords and steal client information from your desktop or cloud storage provider. Brute force attacks like this are actually less common and far less successful if using today's encryption standards, which are typically built into your existing tools. Bad actors are much more likely to focus on the weakest link (people), by tricking you or someone else into simply giving them your password via phishing scams or by impersonating a client via email to convince you to send a third-party wire to an account in a foreign country. (Tricking you into sending them money directly is typically more lucrative and less time consuming than selling a client's information or attempting identity theft.)
The Bottom Line
While cybersecurity (and related compliance) is a constantly evolving issue, advisors should know that regulators have issued guidance and are looking for firms to take specific steps to implement a cybersecurity program. Additionally, while there is no single solution or approach that will work for all advisory businesses, advisors can handle this implementation on their own with the right resources and are likely to have a better understanding of general cybersecurity principles and their specific risks through the process.
Access Ben Brown's article archive here. Brown is a certified financial planner and an IRS-enrolled agent. He is the founder of Entelechy, a fee-only financial planning and investment management firm based in Bethesda, Maryland, serving clients in the Washington, D.C., area and nationally.
The author is a freelance contributor to Morningstar.com. The views expressed in this article may or may not reflect the views of Morningstar.