Cybersecurity and providing greater protections for consumers are on everyone’s mind. Part of this reason is due to the recent implementation of the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018, the rollout of the state of New York’s cybersecurity regulations the year before, and the growing threat of cybersecurity attacks.
On March 1, 2017, the Department of Financial Services (DFS) for NY put into effect new cybersecurity regulations entitled “Cybersecurity Requirements for Financial Services Companies” (23 NYCRR 500) with a goal to “promote the protection of customer information as well as the information technology systems of regulated entities.”
According to the official document, the regulation was created to help protect the financial services industry from cybersecurity threats, which have grown at an exponential rate over the past several years. Additional rules for the regulation are to be phased in between 2018 and early 2019.
While this regulation — the first of its kind in the country — is limited to only New York, I believe that financial institutions, such as registered investment advisor (RIA) firms, in other states can learn from this regulation for how they can approach their own cybersecurity programs.
What the NY Cybersecurity Regulation Entails
The one-of-a-kind cybersecurity mandate provides the regulatory minimum standards to help cybersecurity programs keep pace with evolving technologies. It requires each company to assess its specific risk profile and using the resulting information to develop a tailored and robust program.
Some of the mandatory provisions include:
- Implementing a risk-based cybersecurity program that includes written policies, procedures, and an incident response plan (IRP).
- Designating a Chief Information Security Officer (CISO) who is qualified to implement and enforce the cybersecurity program while also ensuring that the program and all IT systems stay up to date with information about the latest computer security threats and solutions.
- Performing periodic user access assessments to review who has access to confidential data and networks.
- Reporting of security and breach events to the Department of Financial Services within 72 hours of such incidents — including any unsuccessful attacks that posed potential threats.
In addition to these requirements, the mandate also outlines other steps financial institutions must take to be compliant with the new regulation. These components relate to the following areas:
- Assessing and Setting Access Privileges;
- Application Security;
- Audit Trail;
- Cybersecurity Personnel and Intelligence;
- Different Types of Policies;
- Encrypting Non-Public Information;
- Limitations on Data Retention;
- Multifactor Authentication; and
- Different Types of Tests and Assessments (Such as Penetration Testing, Vulnerability Assessments, and Risk Assessments).
As an RIA, you already know that the U.S. Securities and Exchange Commission (SEC) provides guidelines and regulations to help financial and investment industry organizations and professionals like you protect customers from cybersecurity dangers. Following the cybersecurity regulations outlined in the mandate helps to you remain compliant with many of the SEC’s requirements.
Reasons Why RIAs Should Follow New York’s Example
1. To Help Minimize the Growing Risks and Costs of Cyber Crime
When it comes to the costs of cybercrime, registered investment advisors need to do everything in their power to minimize the potential damage to their firms and, as a result, their clients. According to the most recent report from McAfee, cyber crime cost between $445 and $608 billion dollars worldwide in 2017.
In addition to the financial costs, this type of crime against RIAs also results in:
- Loss of intellectual information, personally identifiable information (PII), and other sensitive data;
- Loss of business opportunities and revenue;
- Loss of brand reputation and trust from clients; and
- Misuse or sale of data belonging to your firm or clients on the Dark Web.
As a financial institution, you have a responsibility to have protections in place to help minimize the risks of falling prey to cyber attacks. Although it is not possible to prevent 100% of all attacks, you can at least take steps to reduce these risks to your firm.
2. Every RIA Firm Should Have Policies & Procedures in Place
Cybersecurity concerns need to be addressed directly through the creation and enforcement of cybersecurity policies and procedures at the organizational level. Support for these initiatives needs to come from the very top levels of the organization — from the CEO and all other executives.
Some of the types of policies and procedures that should be implemented and enforced include:
- Acceptable Use Policy (AUP);
- Business Continuity (BC) Plan;
- Computer Use Policy (CUP);
- Disaster Recovery (DR) Plan;
- Email Policy;
- Network Use Policy (NUP);
- Password Policy; and
- Policy of Least Privilege (POLP).
3. Every RIA Firm Should Develop a “Cyber-Aware” Culture
In addition to cybersecurity concerns being addressed from the top down, all employees (the CEO and other executives included) need to undergo cybersecurity awareness training to harden your firm’s “human firewall.”
People are among both your RIA firm’s biggest weaknesses and greatest assets; it all depends on their training and level of understanding of cybersecurity best practices and threats. Trained and informed employees are better prepared to recognize and respond to threats such as phishing emails that pose significant risks to your firm’s RIA technology than those who have no clue what a phishing email is — let alone how to recognize or respond to it.
I would say that the creators of the New York mandate agree with this idea. Section 500.14 of the regulation, Training and Monitoring, specifies that covered entities must “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”
Simply put, ongoing education is key to strengthening your cybersecurity posture and protecting your RIA’s technology, client data, and overall firm. Users at all levels need to realize the severity of phishing, understand the impacts of these clever attacks, and know how to navigate these threats on a daily basis.
Keeping email safe is only one piece of the cybersecurity puzzle. To learn more about how to protect your registered investment advisor firm and RIA technology, download our free resource now by clicking on the image below.
Also, please let us know your thoughts or share your suggestions in the comments box below.