Post Top Ad

Your Ad Spot

Blog Archive

Sunday, November 12, 2017

Advisor prep for Data hacks and CyberSecurity Policies

By Cory Roberson, Principal at FIN Compliance and FIN Lancer
On 10/31/17, we discussed tips for reviewing Disaster Recovery measures for your firm.  Now, let’s take a closer look at another possible standard business disruption (SBD):  Data Hacks.

Case Study (Equifax)

Seven Ways for Advisors (or Clients) to shield themselves during a hack

Contact Equifax to determine if you’re at risk.
Buy a credit report.
Purchase a credit monitoring service.
Request Credit Alerts.
Get a security freeze on accounts (prevents new lines of credit).
Change passwords.
Monitor statements.

What does the SEC say about this?

The SEC Office of Compliance Inspections and Examinations (OCIE) implemented a National Examination Program last summer and have posted several observations. The examinations focused on firms’ written policies and procedures regarding cybersecurity and included validating and testing that the policies and procedures were implemented and followed.

After examining Risk Assessments, access rights and controls, data loss prevention, vendor management, training and incident response they found a few issues that needed work.
The OCIE examiners found that many firms had not installed software patches, many of which included critical security updates. These updates help you make sure your clients’ personal information is protected and not available to folks outside your organization.
Also observed was the fact that, though most Advisors had policies and procedures in place, they only provided employees general guidance and were vague.

What about State-Registered firms?
According to an NASAA Cybersecurity Report (2017) of more than 1000 State Securities examinations:

4.1% of firms indicated that they experienced a cybersecurity incident.
85% of state registrants use computers, tablets, and/or smartphones.
 92% of firms use e-mail to contact clients (only 50% use secure email)
56.7% of firms have procedures to authenticate instructions received from their clients.
62% of firms have conducted a cybersecurity risk assessment.
44% of firms have procedures in place for cybersecurity.
47.5% have procedures for the storage of electronic data.


Firm Cybersecurity Policies should include the following:

Firm Cybersecurity Policies should include the following:
Maintenance and an inventory of data, information and vendors.
Detailed cybersecurity-related instructions.
Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities.
Established and enforced controls to access data and systems.
Mandatory employee training.
Engaged senior management.

Compliance and Business Management

FIN Compliance ( is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site:


FIN Missions ( provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

No comments:

Post a Comment

Post Top Ad

Your Ad Spot