By Cory Roberson, Principal at FIN Compliance and FIN Lancer
On 10/31/17, we discussed tips for reviewing Disaster Recovery measures for your firm.
Now, let’s take a closer look at another possible standard business disruption (SBD): Data Hacks.
Case Study (Equifax)
Seven Ways for Advisors (or
Clients) to shield themselves during a hack
Buy a credit report.
Purchase a credit monitoring service.
Request Credit Alerts.
Get a security freeze on accounts (prevents new
lines of credit).
Change passwords.
Monitor statements.
What does the SEC say about this?
The SEC Office of Compliance Inspections
and Examinations (OCIE) implemented a National Examination Program last summer
and have posted several observations. The examinations focused on firms’
written policies and procedures regarding cybersecurity and included validating
and testing that the policies and procedures were implemented and followed.
After examining Risk Assessments, access
rights and controls, data loss prevention, vendor management, training and
incident response they found a few issues that needed work.
The OCIE examiners found that many firms
had not installed software patches, many of which included critical security
updates. These updates help you make sure your clients’ personal information is
protected and not available to folks outside your organization.
Also observed was the fact that, though
most Advisors had policies and procedures in place, they only provided
employees general guidance and were vague.
According to an NASAA Cybersecurity Report (2017) of more than
1000 State Securities examinations:
85% of state registrants use computers, tablets,
and/or smartphones.
92% of firms use e-mail to contact clients (only 50%
use secure email)
56.7% of firms have procedures to authenticate
instructions received from their clients.
62% of firms have conducted a cybersecurity risk
assessment.
44% of firms have procedures in place for cybersecurity.
47.5% have procedures for the storage of electronic
data.
Conclusion
Firm Cybersecurity Policies should
include the following:
Firm Cybersecurity Policies should
include the following:
Maintenance and an inventory of data,
information and vendors.
Detailed cybersecurity-related instructions.
Maintenance of prescriptive schedules
and processes for testing data integrity and vulnerabilities.
Established and enforced controls to
access data and systems.
Mandatory employee training.
Engaged senior management.
Compliance and Business Management
FIN Compliance (FINCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring: E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019). Access all services on one site: FINCompliance.io.
Impact
FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs. In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.
No comments:
Post a Comment