Post Top Ad

Your Ad Spot

Blog Archive

Thursday, April 26, 2018

The Cost Of Non-Compliance & Cyber Vulnerabilities - Part 1

By Telly Valerie Onu, Contributor, Co-Editor RIA Review

It is often difficult for advisors to interpret regulatory changes. We strive to present rich and timely insights to RIAs and Broker-Dealers.  This article is the first part of a series for further insight on Cyber Protection, Compliance and RegTech.

As a principle operating a registered investment advisor and broker-dealer, cybersecurity is a major concern. According to the 2017 Investment Adviser Coordinated Exams report conducted by the North American Securities Administrators Association (NASAA), 23.4% of firms with AUM examined had at least one cybersecurity-related deficiency. See Fig 1 below. 

Source: NASAA 2017 coordinated exams report
The reality is that all financial advisors are vulnerable to cyber security breaches, regardless of their size and location.  Malicious cyber-attacks, such as Denial of Service (DDoS), are by far one of the most challenging operational risks and principle causes of data breaches.  According to a 2017 study conducted by the Ponemon Institute, 52 percent of data breach incidents involved a malicious or criminal attack, 24 percent of incidents were caused by negligent employees, and another 24 percent were caused by system glitches, including both IT and business process failures.
The Financial Industry Regulatory Authority (“FINRA”) and the U.S. Securities and Exchange Commission (“SEC”) each publish regulatory and examination priorities which all place Cybersecurity as a top priority, laying heavy emphasis on providing awareness and industry guidelines to encourage the implementation of Cybersecurity programs.  However, even the most robust cybersecurity programs can be compromised. The greatest challenge is that cyber threats are getting more sophisticated, complex and ever evolving, hence requiring new methods for mitigation.  But, as evidence, some of the most successful threat activity remains relatively basic and uses simple social-engineering tactics such as to trick targets into transferring large amounts of money via wire transfer to criminal gangs. This is known as "Whaling".
While it is a fact that the majority of investment advisors outsource their general tech support and compliance functions, the significant costs arising out of a data breach is enough for RIAs to shift their focus on elevating their cybersecurity programs.
Just think about it for a minute, there are client liability issues which can lead to serious litigation costs, then there is the reputational damage and lost business which can incur because you didn’t protect the privacy of your clients, then lastly there is the regulatory risk of being fined. For example, Morgan Stanley was fined $1 Million in 2016 for lacking cybersecurity in some areas. According to the 2017 Ponemon institute study, a data breach cost for a small to midsize RIA can cost approximately $3.62 million. See Figure below;
Fig 2: Organization Cost Per Data Breach (Source: Ponemon Institute 2017, IBM research)
In addition to the costs of breaches, the study also revealed that additional factors such as Compliance Failures can increase the per-record cost of data breaches by 11:20. Now imagine a client database of 30,000 records, that’s an additional cost of $336,000 attributing from compliance failures alone.
To evaluate your own organization’s tolerance to cyber security threats, use this calculator provided by fire eye.  Is your firm adequately prepared for an incidence?
SEC and FINRA examiners are extremely concerned with risk and handling of Personally Identifiable Information (PII) and they will scrutinize areas of; governance and risk assessment, access rights and controls, data loss prevention, vendor and third-party management, and incident response.

One of the first things to do is to plan for an incidence. The Cybersecurity Incident Response Plan becomes the first line of mitigation to address Cybersecurity and it is part of the Cybersecurity policy and outlines steps the firm will take when a risk or threat is discovered. All RIAs are expected to have this policy in place, as it outlines what the firm is doing to minimize the risk of threats, and how it intends to administer responses in the event of a breach. Firms are also expected to fully track and document their response steps, and fully disclose damage done, costs, and recovery procedures.
The mitigation plan for discovery and reporting should include some of the following;
  • Name and Contact of person making the notification;
  • Date and Time of notification;
  • Date and Time Incident occurred (if known).
When investigating the incident, key elements to log include;

  • Source of the attack;
  • Systems accessed;
  • Information extracted or compromised;
  • Security of sensitive client or firm information;
  • Date of Notification to Impacted Parties;
  • Details of the Incident.
In order to ease your workload, it is key to leverage a calendaring solution, notification templates, and a repository where you can retrieve the information in a time of crisis.  
In order to prepare and streamline your tasks for compliance, it will be key to leverage a calendaring solution. RIA Review provides user-friendly online compliance management software.  Some of the key benefits include a cloud-based compliance directory to store required books and records, a compliance calendar and templates, forms/Agreements to update documentation to name but a few.
Let's face it, everybody wants to make sure their life savings stays secure. What better way can RIAs build loyalty and then through ensuring that systems and processes are in place to protect clients’ data.  So, the next time there is a data breach, don’t be the RIA firm in the news. 

Our Mission: “Serving the Investment Community to Make a Social Impact”
Telly Valerie Onu is a Contributor and Co-Editor of RIA Review, a compliance and document management portal ( - 120+ users and growing.  An experienced Digital economist, global strategist, management & development consultant and financial innovator with a focus on Fintech, InsureTech, Wealthtech, a seasoned Blockchain Enterprise Architect, she is a Member of the working group on the Eastern Caribbean Currency Union (ECCU) Payment System and Financial Innovation.  She is the founder of Osusulabs, a backend as a service digital financial infrastructure for Financial Institutions, and Businesses. (,  She is the founder and CEO of QGlobal, a boutique global strategy, venture development and advisory firm, she is also the co-founder and Governance partner of Beyond Capital Markets ( a Global alternative impact investment platform and crypto asset exchange. Graduated from Ecole Polytechnique Federale de Lausanne in Switzerland specializing in Masters in E-Governance (advanced studies in networked governance) and is currently a Fellow at the Frankfurt School of Management and Finance specializing in Climate Adaptation Finance. 
Telly Onu is the Co-Author of The InsurTECH Book: The Insurance Technology Handbook for Investors, Entrepreneurs, and Fintech Visionaries published by Wley.  
An innovator at heart, she has the passion for enabling emerging market ecosystems through innovative venture development programs through her foundation Innovatethenext, (  based in St. Kitts and Nevis, in the West Indies.  

No comments:

Post a Comment

Post Top Ad

Your Ad Spot