By Joseph Cassano, CPA – Senior Manager – WithumSmith+Brown, PC
Cybersecurity has become the latest buzz word and focus of the United States Securities and Exchange Commissions (“SEC”). The SEC realizes that registered investment advisers (“RIA’s”) are using technology more and more in everyday business, and the need to protect sensitive and confidential information as it relates to these activities from third parties is at all all-time high because of the ever-changing nature of cyber threats. The RIA’s need to identify their obligations under the law to assess their ability to prevent, detect and respond to cyber-attacks.
In recent years there has been a wide range of financial service firms exposed due to the lack of cybersecurity, which highlights the need for RIA’s to review and update their cybersecurity procedures. The advisers specifically should identify risks and design controls to mitigate and address their specific cyber security procedures. The SEC has warned RIA’s that they will face heightened penalties if they fail to report cybersecurity breaches for fear of investigation.
There are a number of areas that a RIA could spend their time focusing on to diminish the threat of cybersecurity attacks. Some of these include:
- Performing a periodic assessment of location and vulnerability of the information the fund collects, how it is processed, and the technology it uses to obtain the data
- Review current controls and processes that are in place and test them for vulnerabilities
- Assess the impact should various systems be compromised
RIA’s should create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Strategies could include:
- Making systems less vulnerable to unauthorized intrusions by having proper firewalls in place and ensuring user credentials are needed to access systems
- Data encryption
- Restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions
- Disaster recovery plan
- Develop an incident response plan.
- Routine testing of plans could also enhance the effectiveness of any strategy.
RIA’s should implement written policies and procedures and train all levels of the firm about threats and measure how to prevent, detect and respond to such threats. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.
The above insight is suggested measures that RIA’s can use to think about cybersecurity and is not intended to be a comprehensive list. Other measures may be more suitable depending on the operations of a particular RIA. Each RIA should determine whether these or other measures need to be considered in connection with addressing cybersecurity risks. Firms should start to think about hiring service providers to perform penetration test to see if areas of their systems are inadequate