The Cost Non-Compliance & Cyber Vulnerabilities - Part 2

By Telly Valerie Onu, Contributor, Co-Editor RIA Review 

It is often difficult for advisors to interpret regulatory changes. We strive to present rich and timely insights to RIAs and Broker-Dealers.  This article is the second part of series on Cyber Protection, Compliance, and RegTech.

RIA’s WITH A STRONG COMPLIANCE CULTURES LOWER CYBER RISKS

As we noted in Part 1 of our article series, RIAs can experience significant costs if/when firms are complacent with addressing cyber vulnerabilities and risks for their practices.  In this second article, we will look at the linkage between compliance and cybersecurity as a continuation of our previous article on the subject.  

It takes a team effort!  More firms are starting to get the memo on Cybersecurity.  The Financial Industry Regulatory Authority (FINRA) noted that firms have generally increased their focus on cybersecurity issues. However, according to the most recent FINRA examination report (December 2017), FINRA highlighted key areas in a firm’s cybersecurity programs which they observed were still deficient. 

These include:
Governance & Risk Assessment, 
Access Management--controlling system access, 
Data Loss prevention,
Branch Office reviews of protocols,
Segregation of duties - delegation of tasks.

Furthermore, as much as threats maybe more frequent and sophisticated, it is not surprising that the underlying challenge with mitigating risks is linked to weak Governance & Risk Assessment frameworks. The fact remains is that many firms are not putting the necessary policies, processes and relevant control measures in place. According to a recent study by Dalbar/ThinkAdvisor, “The State of Authentication in Financial Services,” the research revealed that 74% of firms have the same practices they’ve had for the past five years, and only a “paltry” 4% are planning to adopt new practices. You see advisors generally believe that client assets are safe thanks to the diversification of their investments, but they forget that it's not only the assets are being diversified but the third party institutions in their network. 

RIAs with broker-dealers and other client asset holding institutions such as investment firms, insurance companies and record-keepers should be very concerned about Cybersecurity measures.

As Cory Roberson from RIA REVIEW points out, the bottom-line is that advisors are going to be called to account if something goes wrong.  Overcoming this challenge all comes down to having an effective compliance program in place. The key thing is not leaving Cybersecurity only up to the tech guys to deal with as many can be unfamiliar of the context for your regulatory agency's specific cybersecurity protocols.  

SEC/FINRA cybersecurity provisions are different than general IT compliance that many tech people study.  RIAs should take ownership of cybersecurity through polices and procedures review just as you would take ownership of any other compliance requirement. 

Keeping laser-focus on implementing Cybersecurity focused policies, procedures,  incident response plans, and business continuity planning on top of all the other compliance requirements can be time consuming and sometimes burdensome for any RIA.

By making Cybersecurity an intrinsic part of corporate culture and compliance requirements, this will not only serve to reduce costs, but also make your firm better prepared for auditors.  To this end, advisors should conduct regular internal cybersecurity risk assessments, document responses to any identified threats, and engage in regular robust training.

Following the Cybersecurity Incident plan, one must have a Disaster Recovery Plan in the event of an attack.  Secured and encrypted document storage is also an important element to document firm operations and store client specific files as needed. 

As this demands a high level of organization and automation, one way of simplifying the compliance management process is through RegTech using compliance software to streamline a number of key tasks.  While there are other compliance software options available, the challenge with many off the shelf or cloud based compliance management software products is that many do not consider the underlying business processes which tend to be unique to each RIA or Broker-dealer practice.  Firms must go beyond the "one-size fits all" approach. 

When it comes to selecting the right compliance software, one needs to evaluate options for their ability to design and develop a compliance program in accordance to each firms  processes, workflows and regulatory needs. One big drawback with having this level of customization, is the costs and resources needed to make the solution work and most RIA’s do not have internal IT support with the capability to customize the software installation. The second major drawback is that some RIA compliance solutions are not necessarily built with the tacit knowledge of investment adviser rules and regulations.  Some solutions may inadvertently blend SEC or State compliance statues with other regulatory bodies, such as FINRA.  This approach doesn't necessary work as well for the RIA only model as it can create a burden on the practice to manually segment the regulatory divergences the software has failed to capture.

One such solution that takes away these pain points for RIAs is RIA Review, a documentation-based solution to help boutique investment advisors to maintain an internal compliance program leveraging their ability to tailor processes. RIA Review is a product of  Roberson Venture Group, Inc.  Our consulting arm, RIA Consults - Roberson Consults Group, has served more than 160 SEC & State Registrants in both the US and United Kingdom, and designed with regulatory knowledge insights removing friction for RIA firms.

The key benefits of the software include but not limited the following;

• Cloud-based compliance directory to store required books/records;
• Review Center to schedule review of firm policies/procedures;
• Forms/Agreements to update documentation;
• News and Updates to customize compliance calendar;
• Annual review required for some firms.

RIA’s now have the benefit of a one-stop-shop solution to streamline compliance requirements, reduce the time it takes to prepare for an audit and most importantly, minimize the impact and cost of some data breaches through adopting a solid compliance program.

As RIA’s look toward the future—a continual mandate in the industry—they ought to consider adopting compliance practices which better align with cybersecurity plans and mitigation initiatives. To succeed in rallying workforces around compliance and cybersecurity it might go a long way if change occurs at the very heart of organization—to the holistic culture that defines them.

Our Mission: “Serving the Investment Community to Make a Social Impact”

Telly Valerie Onu is a Contributor and Co-Editor of RIA Review, a compliance and document management portal (www.riareview.com) - 120+ users and growing.  An experienced Digital economist, global strategist, management & development consultant and financial innovator with a focus on Fintech, InsureTech, Wealthtech, a seasoned Blockchain Enterprise Architect, she is a Member of the working group on the Eastern Caribbean Currency Union (ECCU) Payment System and Financial Innovation.  She is the founder of Osusulabs, a backend as a service digital financial infrastructure for Financial Institutions, and Businesses. (www.osusutechnologies.com),  She is the founder and CEO of QGlobal, a boutique global strategy, venture development and advisory firm, she is also the co-founder and Governance partner of Beyond Capital Markets (www.beyondcapitalmarkets.com) a Global alternative impact investment platform and crypto asset exchange. Graduated from Ecole Polytechnique Federale de Lausanne in Switzerland specializing in Masters in E-Governance (advanced studies in networked governance) and is currently a Fellow at the Frankfurt School of Management and Finance specializing in Climate Adaptation Finance. 

Telly Onu is the Co-Author of The InsurTECH Book: The Insurance Technology Handbook for Investors, Entrepreneurs, and Fintech Visionaries published by Wley.  

An innovator at heart, she has the passion for enabling emerging market ecosystems through innovative venture development programs through her foundation Innovatethenext, (www.innovatethenext.org)  based in St. Kitts and Nevis, in the West Indies.