Retirement is an industry plagued with cybersecurity breaches. Everyone from recordkeepers to advisors are affected.
In 2016, the SEC’s main investor database, the EDGAR system, fell victim to a highly embarrassing security breach when hackers stole thousands of corporate releases and private documents. Resulting in over $ 100 million in illegal trading and other nefarious activity. Fortunately, there are some steps that can be taken to develop and implement a successful cybersecurity program that meets SEC requirements.
Investment advisers and broker-dealers should consider cybersecurity as a very important issue. The SEC’s Office of Compliance Inspections and Examinations included it in the list of examination priorities.
These examinations are focused on the following areas:
a.Administration and risk assessment.
SEC experts can review the level of interaction with senior management and boards of directors and their participation in considering issues related to cybersecurity, in particular, risk assessment and response planning.
b.Access rights and controls.
Examined items may include an overview of controls related to remote access to a firm’s system from both branded and personal devices.
c.Data loss prevention.
An assessment of how the firm tracks the amount of content transferred by employees outside the firm or through third parties through web-file transfer programs and email attachments,
d.Vendor management.
In order to mitigate risks, examine information related to third-party vendors that provide cybersecurity services
e.Education.
Gather information about training methods, and provide related materials.
f.Incident response.
Whether appropriate safeguards for client data have been taken for customer data and what actions will be taken in the event of a cybersecurity breach.
How can an advisor build a cybersecurity program?
Patrick Cleary, Chief Operations Officer at Alpha Architect in his post called SEC Cybersecurity Requirements for Registered Investment Advisors (RIAs) talks in detail about what you need to deploy a pretty decent cybersecurity program in order to meet all of the SEC’s requirements:
– Assess your data breach risk and compliance status.
– Implement necessary safeguards to secure confidential data
– Create a system of rules and practices.
– Identify hazards and risk factors that may cause harm
– Manage the current requirements to cybersecurity
– mitigate risks associated with vendors and ensure the provision of services.
Also, The DOL offers some tips in order to help fulfill their responsibilities in accordance with ERISA for the prudent selection and monitoring of service providers. Investment advisers and broker-dealers should be aware of their vendor information security standards and policies. It is important to find out what security standards they have implemented and how the service provider responds in the cases of security breaches.
Alongside The DOL’s Employee Benefits Security Administration (EBSA) issued specific cybersecurity guidance on cybersecurity best practices, which comes in three forms – best cybersecurity practices for recordkeepers, online security tips for plan sponsors and how to choose a service provider.
EBSA offers best practices for recordkeepers and plan fiduciaries responsible for the IT systems and data associated with the plan.Having a documented cybersecurity program and reliable annual third-party audit are an important aspects when choosing service providers.You should have defined security responsibilities with strong access control procedures. Also, EBSA claims that service providers should implement secure system development and management lifecycle programs.As well as strong technical control in line with best security, privacy practices, and data encryption will mitigate information security risks.
But what about those advisors working in smaller organizations with limited information technology resources, realizing that cybersecurity is a big step forward from the traditional world of retirement advice?
No one is immune to breaches, judging by the events affecting even large companies. David N. Levine, a principal with Groom Law Group suggests five basic questions as a basis for evaluating your approach to cybersecurity:
- What data do you have? Analyze both your own and your clients’ and where it is kept.
- How do you control your own data and that of your clients?
- What steps have been taken to track access to your data and hacking attempts?
- What are your obligations to disclose data breaches?
- How do you address cybersecurity breaches affecting your business or customers?
It is important to remember that cybersecurity is not a one-off event, but an ongoing process. Failure to support these requirements can greatly reduce your legal protection in the event of a data breach.
