If you weren't aware of it, back in April 2014 the U.S. Securities and Exchange Commission - Division of Investment Management issued a directive detailing recommended cybersecurity policies and procedures for Registered Investment Advisors (RIAs). In April 2015, they updated this by releasing their Guidance Update.
Not surprisingly, in the update they continue to recommend that to reduce cybersecurity risk, firms should conduct recurring periodic assessments to review:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores
- the technology systems it uses
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems
- security controls and processes
- the impact should the information or technology become compromised
- the effectiveness of the governance structure for the management of cybersecurity risk
We believe the most important aspect to addressing the SEC's recommendations to cybersecurity is to address it head on by incorporating cybersecurity into your overall approach to technology. This means that if you haven't already done so, start with a security assessment and then, equally important, plan on reviewing this annually.
The results of any first assessment ALWAYS lead to something needing to be addressed. Don't let the thought of this overwhelm you or prevent you from dealing with it. Start small. Knock some things off the list. As you do this, and continue to address them - the list will become smaller and smaller.
One of the most complex aspects about managing technology is that it's constantly changing. This is why it's so important that security assessments are incorporated into your overall technology strategy and are performed on a recurring basis.
While there's no way to make any system 100% secure, the most important thing is to make sure you're doing your due diligence. And this starts by taking the first step - do something!
For more information, check out the update here.