By Telly Valerie Onu, Contributor, Co-Editor RIA Review
It is often difficult for advisors to interpret regulatory
changes. We strive to present rich and timely insights to RIAs and
Broker-Dealers. This article is the first part of a series for further insight on Cyber Protection, Compliance and RegTech.
DON’T BE THE REGISTERED INVESTMENT ADVISORY FIRM IN THE NEWS!
DON’T BE THE REGISTERED INVESTMENT ADVISORY FIRM IN THE NEWS!
As a principle operating a registered investment
advisor and broker-dealer, cybersecurity is a major concern. According
to the 2017 Investment Adviser Coordinated Exams report conducted by the North
American Securities Administrators Association (NASAA), 23.4% of firms with AUM
examined had at least one cybersecurity-related deficiency. See Fig 1 below.
Source: NASAA 2017 coordinated exams report
The reality is that all financial advisors are vulnerable to
cyber security breaches, regardless of their size and location. Malicious
cyber-attacks, such as Denial of Service (DDoS), are by far one of the most challenging operational risks and
principle causes of data breaches. According to a 2017
study conducted by the Ponemon Institute, 52 percent of
data breach incidents involved a malicious or criminal attack, 24 percent of
incidents were caused by negligent employees, and another 24 percent were
caused by system glitches, including both IT and business process failures.
The Financial Industry Regulatory Authority (“FINRA”) and the U.S.
Securities and Exchange Commission (“SEC”) each publish regulatory and
examination priorities which all place Cybersecurity as a top priority, laying
heavy emphasis on providing awareness and industry guidelines to encourage the
implementation of Cybersecurity programs. However, even the most robust
cybersecurity programs can be compromised. The greatest challenge is that cyber
threats are getting more sophisticated, complex and ever evolving, hence
requiring new methods for mitigation. But, as evidence, some of the most
successful threat activity remains relatively basic and uses simple
social-engineering tactics such as to trick targets into transferring large
amounts of money via wire transfer to criminal gangs. This is known as "Whaling".
While it is a fact that the majority of investment advisors
outsource their general tech support and compliance functions, the significant
costs arising out of a data breach is enough for RIAs to shift their focus on
elevating their cybersecurity programs.
Just think about it for a minute, there are client
liability issues which can lead to serious litigation costs, then there is
the reputational damage and lost business which can incur because you didn’t
protect the privacy of your clients, then lastly there is the regulatory risk
of being fined. For example, Morgan Stanley was fined $1 Million in 2016 for
lacking cybersecurity in some areas. According to the 2017 Ponemon institute
study, a data breach cost for a small to midsize RIA can cost approximately
$3.62 million. See Figure below;
Fig 2: Organization Cost Per Data Breach (Source: Ponemon Institute 2017, IBM
research)
In addition to the costs of breaches, the study also revealed
that additional factors such as Compliance Failures can increase the
per-record cost of data breaches by 11:20. Now imagine a client database of
30,000 records, that’s an additional cost of $336,000 attributing from
compliance failures alone.
To evaluate your own organization’s tolerance to cyber
security threats, use this calculator provided by fire eye.
Is your firm adequately prepared for an incidence?
SEC and FINRA examiners are extremely concerned with risk and handling
of Personally Identifiable Information (PII) and they will scrutinize areas of; governance
and risk assessment, access rights and controls, data loss prevention, vendor
and third-party management, and incident response.
One of the first things to do is to plan for an incidence. The Cybersecurity Incident Response Plan becomes the first line of mitigation to address Cybersecurity and it is part of the Cybersecurity policy and outlines steps the firm will take when a risk or threat is discovered. All RIAs are expected to have this policy in place, as it outlines what the firm is doing to minimize the risk of threats, and how it intends to administer responses in the event of a breach. Firms are also expected to fully track and document their response steps, and fully disclose damage done, costs, and recovery procedures.
One of the first things to do is to plan for an incidence. The Cybersecurity Incident Response Plan becomes the first line of mitigation to address Cybersecurity and it is part of the Cybersecurity policy and outlines steps the firm will take when a risk or threat is discovered. All RIAs are expected to have this policy in place, as it outlines what the firm is doing to minimize the risk of threats, and how it intends to administer responses in the event of a breach. Firms are also expected to fully track and document their response steps, and fully disclose damage done, costs, and recovery procedures.
The mitigation plan for discovery and reporting should include some of the following;
- Name and Contact
of person making the notification;
- Date and Time of
notification;
- Date and Time
Incident occurred (if known).
- Source of the
attack;
- Systems accessed;
- Information
extracted or compromised;
- Security of
sensitive client or firm information;
- Date of
Notification to Impacted Parties;
- Details of the Incident.
In order to ease your workload, it is key to leverage a calendaring
solution, notification templates, and a repository where you can retrieve the
information in a time of crisis.
In order to prepare and streamline your tasks for compliance, it
will be key to leverage a calendaring solution. RIA Review provides
user-friendly online compliance management software. Some of the key
benefits include a cloud-based compliance directory to store required books and
records, a compliance calendar and templates, forms/Agreements to update
documentation to name but a few.
Let's face it, everybody wants to make sure their life
savings stays secure. What better way can RIAs build loyalty and then through
ensuring that systems and processes are in place to protect clients’ data.
So, the next time there is a data breach, don’t be the RIA firm in the
news.
Our Mission: “Serving the Investment Community to Make a Social Impact”
Telly Valerie Onu is a Contributor and Co-Editor of RIA
Review, a compliance and document management portal (www.riareview.com) -
120+ users and growing. An experienced Digital economist, global
strategist, management & development consultant and financial innovator
with a focus on Fintech, InsureTech, Wealthtech, a seasoned Blockchain
Enterprise Architect, she is a Member of the working group on the Eastern
Caribbean Currency Union (ECCU) Payment System and Financial Innovation.
She is the founder of Osusulabs, a backend as a service digital financial
infrastructure for Financial Institutions, and Businesses. (www.osusutechnologies.com),
She is the founder and CEO of QGlobal, a boutique global strategy,
venture development and advisory firm, she is also the co-founder and
Governance partner of Beyond Capital Markets (www.beyondcapitalmarkets.com) a
Global alternative impact investment platform and crypto asset exchange.
Graduated from Ecole Polytechnique Federale de Lausanne in Switzerland
specializing in Masters in E-Governance (advanced studies in networked
governance) and is currently a Fellow at the Frankfurt School of Management and
Finance specializing in Climate Adaptation Finance.
Telly Onu is the Co-Author of The InsurTECH Book: The Insurance Technology
Handbook for Investors, Entrepreneurs, and Fintech Visionaries published by
Wley.
An innovator at heart, she has the passion for enabling
emerging market ecosystems through innovative venture development programs
through her foundation Innovatethenext, (www.innovatethenext.org)
based in St. Kitts and Nevis, in the West Indies.
No comments:
Post a Comment