David Matalon - workplace
Our observations about FINRA’s 2017 Exam Findings, 2018 Priorities and their potential relevance for Broker-Dealers
There was no shortage of headline-grabbing cyber-related events in 2017; leaks from Equifax, Verizon and Deloitte as well as the WannaCry ransomware attack. It is clear from reading these FINRA missives that cybersecurity and technology risks continue to consume the financial services community. Cybersecurity is essentially a stand item on FINRA’s annual examination roadmap, and its inclusion again in 2018 further solidifies this conclusion.
In the wake of headline-grabbing hacks like Equifax, experts weigh in on how advisors can step-up their protection.
Despite headlines all month showing the scope of compromised personal information in attacks on Equifax, Yahoo and the SEC, many advisors still aren’t taking cybersecurity seriously.
An examination of more than 1,200 investment advisors by the North American Securities Administrators Association uncovered 698 deficiencies, including no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant and a lack of procedures regarding hardware and software updates or upgrades.
When it rains, it pours. Shortly after the Securities and Exchange Commission (SEC) was the subject of a Government Accountability Office report stating that it must do more to protect its computer systems from cyber-attacks, the regulator announced that its EDGAR network suffered a security breach last year. The SEC originally didn’t believe that anyone’s personal information had been compromised, but later, after a detailed forensic analysis, the regulator discovered that the names, birthdates, and Social Security numbers for two people had indeed been exposed.
This series of events powerfully illustrates the rapid growth and expansion of the cyber threat. Even one of the most powerful federal regulators, responsible for setting and enforcing standards on cybersecurity for financial services firms, finds it challenging to stay one step ahead of cyber-criminals.
I did not write this article to criticize the SEC. The regulator’s staff members deserve praise for their commitment to consistently improving the security of sensitive financial information, and investment firms’ computer systems in general, across the industry. The point I’m making is that if even the SEC can fall victim to hackers, no financial advisory practice or other business, regardless of size, can afford to make light of the cyber threat.
Dealing with cybersecurity incidents is not a question of ‘if’ but rather ‘when’ it happens
Cybercrime continues to be a very serious problem in the financial industry. The number and sophistication of malicious attacks has increased over the last few years and is not expected to slow down anytime soon. While the latest OCIE alert shows a marked increase in overall cybersecurity preparedness and awareness by advisors and broker-dealers, there are still areas where firms are failing. This white paper details our observations in the field and provides real-world guidance to the security issues advisors and broker-dealers are facing on a daily basis.
The type of cloud computing solution you choose must be the one that best aligns with your practice’s clients, resources, expertise, business model and goals
As more wealth management firms trade in their licensed software for cloud-based digital technology solutions, those that haven’t made the switch are understandably eager to find out more about the cloud and the benefits it can provide.
However, before beginning due diligence on providers of cloud-based solutions, they need to first understand which type of cloud is the right one for them. Even among IT experts, the term “cloud” can mean different things to different people. The cloud isn’t just “the cloud”. There are public, private and hybrid clouds, and they work in different ways. RIAs and broker dealers have to identify which cloud is the right choice for their individual practice at the start of the process.
Financial advisors have more work to do when it comes to protecting their systems from hackers, InvestmentNews reports, citing cybersecurity examination results released this week by the SEC.
“In general, the staff observed increased cybersecurity preparedness since our 2014 Cybersecurity Initiative. However, the staff also observed areas where compliance and oversight could be improved,” the SEC noted in its exam risk alert bulletin.
Advisory firms should more closely adhere to their stated cybersecurity policies, keep current on security patches and correct all vulnerabilities detected, the SEC noted. These observations stem from examinations of 75 firms, including broker-dealers, investment advisers and funds conducted from September 2015 through June 2016.
Mobile devices have made it possible for financial advisors, and professionals in a wide variety of other industries, to seamlessly conduct business and engage with clients in any location, and at any time, outside the office. But while laptops, iPads, and smartphones have enabled advisors to complete work and collaborate with colleagues and clients from home and on the road, these mobile devices can also increase the risk of security breaches if they are not properly secured and monitored.
One misplaced or stolen mobile device, or password, is all it takes for hackers to access clients’ sensitive financial information. Advisory practices whose data is compromised can not only face regulatory scrutiny and fines, but also permanent damage to their reputations which could put their very survival in the industry in jeopardy.
However, advisors don’t need to sacrifice convenience for effective cybersecurity. Below are tips that advisors can follow to make sure all data, documents, and emails on their firm-approved mobile devices are secured against hackers.
1. Implement Multi-Factor Authentication & Other Security Controls on All Mobile Devices
Cyber-criminals, along with the technology systems they seek to infiltrate, are becoming more and more sophisticated. So, needless to say, it shouldn’t be easy for them to figure out a mobile device’s password. Unfortunately, hackers are quite crafty, so advisors need to add an extra layer of protection to their firms’ mobile devices by implementing two-factor authentication. This authentication process requires users to enter a standard password in addition to a one-time code that can’t be entered again when they connect from unrecognizable devices.
Advisors can further secure their firm’s mobile devices by rolling out security controls that enable certain authorized users, as opposed to all practice employees, to access client data. These controls ensure that only select employees can download, copy, forward, or print sensitive information from their devices.
New regulations in Colorado set ‘commodity security’ apart from robust cybersecurity practices
Justin Kapahi, vice president of solutions and security at Workplace, is excited about a new set of cybersecurity regulations for financial institutions that were recently passed in Colorado.
The Colorado Division of Securities published final rules in mid-May that compel broker-dealers and investment advisors to establish and maintain written cybersecurity procedures designed to protect clients’ personal confidential information. Those procedures include using secure emails that employ encryption and multifactor authentication practices for employees to access databases, among other things.
Kapahi believes these rules will go a long way toward helping financial advisory firms in Colorado understand how best to protect themselves from hackers. Even if most firms in this industry have in place what Kapahi calls “commodity security” (firewalls and anti-virus protection, for example), many are not truly equipped to counter “socially engineered threats” like spam emails that look innocuous but can result in major database breaches.