No one wants to be a victim of a cybersecurity attack. But if you are an investment adviser and your clients’ personally identifiable information (PII) is hacked, you will be a victim and, in the view of the regulators, you might just be treated as a perpetrator as well. Just ask R.T. Jones Capital Equities Management, the firm that was fined $75,000 for having policies and procedures that were not reasonably designed to safeguard client PII. According to the SEC, the firm’s policies and procedures did not include “expected” procedures such as conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. This administrative action, together with prior and subsequent SEC Risk Alerts on cybersecurity, have set off alarm bells throughout the investment adviser community. Let’s face it, many advisers rely on the anti-virus, anti-malware software that came pre-loaded on their computers. Sure, they may have subscribed for automatic updates, but often that is as far as it goes. After all, cybersecurity is primarily a concern for the biggest firms and well, they are the ones who can actually afford to do something about it. This belief has become a mantra of the small to mid-sized adviser and has been a great source of comfort to them. The R.T. Jones enforcement action, however, has gone a long way to shattering this belief.
I think what the R.T. Jones action and the various Risk Alerts indicates is that advisers must now be much more proactive in dealing with cybersecurity issues. Here then, are six areas that advisers would take into consideration:
- Cybersecurity governance (be able to demonstrate to regulators a clear accountability for managing cybersecurity risks);
- Cybersecurity risk assessment (consider risks associated with remote client access and use of third-party vendors);
- Develop and implement effective policies and procedures;
- Protect firm networks and information (access management and certifications, patch management, data protection, distributed denial of service protection, secure software development life cycle, and resilience planning and testing);
- Detection of unauthorized activity (active monitoring processes); and
- Documentation (as with all areas of compliance you must document everything you do).