{"id":8801,"date":"2021-08-17T07:46:40","date_gmt":"2021-08-17T12:46:40","guid":{"rendered":"https:\/\/rixtrema.com\/blog\/?p=8801"},"modified":"2021-08-25T12:32:49","modified_gmt":"2021-08-25T17:32:49","slug":"cybersecurity-regulations","status":"publish","type":"post","link":"https:\/\/rixtrema.com\/blog\/cybersecurity-regulations\/","title":{"rendered":"Cybersecurity Regulations"},"content":{"rendered":"\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<script src=\"https:\/\/platform.linkedin.com\/in.js\" type=\"text\/javascript\"> lang: en_US<\/script>\n<script type=\"IN\/FollowCompany\" data-id=\"1334326\" data-counter=\"bottom\"><\/script>\n\n\n\n<p><span style=\"font-weight: 400;\">Retirement\u00a0 is an industry plagued with cybersecurity breaches. Everyone from recordkeepers to advisors are affected.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In 2016, the SEC\u2019s main investor database, the EDGAR system, fell victim to a<\/span><a href=\"https:\/\/www.washingtonpost.com\/business\/economy\/sec-ignored-years-of-warnings-about-cybersecurity-before-massive-breach\/2017\/10\/24\/7e7507d0-adf7-11e7-be94-fabb0f1e9ffb_story.html?utm_term=.9e6463925bfa\"> <span style=\"font-weight: 400;\">highly embarrassing security breach<\/span><\/a><span style=\"font-weight: 400;\"> when hackers stole thousands of corporate releases and private documents. Resulting in over $ 100 million in illegal trading and other nefarious activity. Fortunately, there are some steps that can be taken to develop and implement a successful cybersecurity program that meets<\/span><a href=\"https:\/\/www.sec.gov\/spotlight\/cybersecurity\"> <span style=\"font-weight: 400;\">SEC requirements<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Investment advisers and broker-dealers should consider cybersecurity as a very important issue. The SEC\u2019s Office of Compliance Inspections and Examinations\u00a0 included it in<\/span><a href=\"https:\/\/www.thsh.com\/uploads\/Overview-Data-Privacy-Cybersecurity-Regulatory.pdf\"> <span style=\"font-weight: 400;\">the list of examination<\/span><\/a><span style=\"font-weight: 400;\"> priorities.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These examinations are focused on the following areas:<\/span><\/p>\n<p><em><span style=\"color: initial;\">a.Administration and risk assessment.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400;\">SEC experts can review the level of interaction with senior management and boards of directors and their participation in considering issues related to cybersecurity, in particular, risk assessment and response planning.<\/span><\/p>\n<p><em><span style=\"color: initial;\">b.Access rights and controls.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400;\">Examined items may include an overview of controls related to remote access to a firm&#8217;s system from both branded and personal devices.<\/span><\/p>\n<p><em><span style=\"color: initial;\">c.Data loss prevention.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400;\">An assessment of how the firm tracks the amount of content transferred by employees outside the firm or through third parties through web-file transfer programs and email attachments,<\/span><\/p>\n<p><em><span style=\"color: initial;\">d.Vendor management.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400;\">In order to mitigate risks, examine information related to third-party vendors that provide cybersecurity services<\/span><\/p>\n<p><em><span style=\"font-weight: 400;\"> e.<\/span><span style=\"color: initial;\">Education.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400;\">Gather information about training methods, and provide related materials.<\/span><\/p>\n<p><em><span style=\"color: initial;\">f.Incident response.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400;\">Whether appropriate safeguards for client data have been taken for customer data and what actions will be taken in the event of a cybersecurity breach.<\/span><\/p>\n<p><b>\u00a0<\/b><\/p>\n<h2><b>How can an advisor build a cybersecurity program?<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h2>\n<p>\u00a0<\/p>\n<p><span style=\"font-weight: 400;\">Patrick Cleary, Chief Operations Officer at <\/span><a href=\"https:\/\/alphaarchitect.com\/\"><span style=\"font-weight: 400;\">Alpha Architect<\/span><\/a><span style=\"font-weight: 400;\"> in his post called<\/span> <a href=\"https:\/\/alphaarchitect.com\/2018\/09\/26\/sec-cybersecurity-requirements-for-registered-investment-advisors-rias\/\"><span style=\"font-weight: 400;\">SEC Cybersecurity Requirements for Registered Investment Advisors (RIAs)<\/span><\/a><span style=\"font-weight: 400;\"> talks in detail about what you need to deploy a pretty decent cybersecurity program in order to meet all of the SEC\u2019s requirements:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;\u00a0 Assess your data breach risk and compliance status.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;\u00a0 Implement necessary safeguards to secure confidential data<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;\u00a0 Create a system of rules and practices.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;\u00a0 Identify hazards and risk factors that may cause harm<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;\u00a0 Manage the current requirements to cybersecurity<\/span><\/p>\n<p><span style=\"font-weight: 400;\">&#8211;\u00a0 mitigate risks associated with vendors and ensure the provision of services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Also, The DOL <\/span><a href=\"https:\/\/www.dol.gov\/sites\/dolgov\/files\/ebsa\/key-topics\/retirement-benefits\/cybersecurity\/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf\"><span style=\"font-weight: 400;\">offers some tips<\/span><\/a><span style=\"font-weight: 400;\"> in order to help fulfill their responsibilities in accordance with ERISA for the prudent selection and monitoring of service providers.\u00a0 Investment advisers and broker-dealers should be aware of their vendor information security standards and policies. It is important to find out what\u00a0 security standards they have implemented and how the service provider responds in the cases of\u00a0 security breaches.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Alongside The DOL&#8217;s Employee Benefits Security Administration (EBSA) issued specific <\/span><a href=\"https:\/\/www.dol.gov\/newsroom\/releases\/ebsa\/ebsa20210414\"><span style=\"font-weight: 400;\">cybersecurity guidance<\/span><\/a><span style=\"font-weight: 400;\"> on cybersecurity best practices, which comes in three forms &#8211; best cybersecurity practices for recordkeepers, online security tips for plan sponsors and how to choose a service provider.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">EBSA offers best practices for recordkeepers and plan fiduciaries responsible for the IT systems and data associated with the plan.Having a <\/span><span style=\"font-weight: 400;\">documented cybersecurity program and reliable annual third-party audit <\/span><span style=\"font-weight: 400;\">are an important aspects when choosing <\/span><span style=\"font-weight: 400;\">service providers<\/span><span style=\"font-weight: 400;\">.You should have defined security responsibilities with strong access control procedures. Also, EBSA claims that service providers should implement secure system development and management lifecycle programs.As well as strong technical control in line with best security, privacy practices, and data encryption will mitigate information security risks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But what about those advisors working in smaller organizations with limited information technology resources, realizing that cybersecurity is a big step forward from the traditional world of retirement advice?\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">No one is immune to breaches, judging by the events affecting even large companies. David N. Levine, a principal with Groom Law Group suggests<\/span><a href=\"https:\/\/www.napa-net.org\/news-info\/daily-news\/cybersecurity-what%E2%80%99s-advisor-do\"> <span style=\"font-weight: 400;\">five basic questions<\/span><\/a><span style=\"font-weight: 400;\"> as a basis for evaluating your approach to cybersecurity:<\/span><\/p>\n<ol>\n<li><span style=\"font-weight: 400;\"> What data do you have? Analyze both your own and your clients\u2019 and where it is kept.<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How do you control your own data and that of your clients?\u00a0\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What steps have been taken to track access to your data and hacking attempts?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What are your obligations to disclose data breaches?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How do you address cybersecurity breaches affecting your business or customers?<br \/><\/span><br \/><br \/><a href=\"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min.png\" data-rel=\"lightbox-image-0\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-8803 alignnone\" src=\"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min.png\" alt=\"\" width=\"953\" height=\"532\" srcset=\"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min.png 953w, https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min-300x167.png 300w, https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min-768x429.png 768w, https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min-500x279.png 500w, https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/cubersecurity-min-800x447.png 800w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><\/a><\/li>\n<\/ol>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p><span style=\"font-weight: 400;\">It is important to remember that cybersecurity is not a one-off event, but an ongoing process. Failure to support these requirements can greatly reduce your legal protection in the event of a data breach.<\/span><\/p>\n<p>\u00a0<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/rixtrema.com\/landings_larkspurexecutive?source=blog17082021\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/04\/banner-LEXE-min-1.jpg\" alt=\"\" class=\"wp-image-7794\" width=\"844\" height=\"309\" srcset=\"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/04\/banner-LEXE-min-1.jpg 700w, https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/04\/banner-LEXE-min-1-300x110.jpg 300w, https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/04\/banner-LEXE-min-1-500x183.jpg 500w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\" \/><\/a><\/figure>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Retirement\u00a0 is an industry plagued with cybersecurity breaches. Everyone from recordkeepers to advisors are affected.<\/p>\n","protected":false},"author":19,"featured_media":8804,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[168],"tags":[49,7,172],"class_list":["post-8801","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-fiduciary","tag-financial-advisor","tag-retirement-plan-advisors"],"jetpack_featured_media_url":"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/Cybersecurity-regulations.jpg","yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v15.9.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cybersecurity Regulations<\/title>\n<meta name=\"description\" content=\"Retirement\u00a0 is an industry plagued with cybersecurity breaches. Everyone from recordkeepers to advisors are affected.\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rixtrema.com\/blog\/cybersecurity-regulations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity Regulations\" \/>\n<meta property=\"og:description\" content=\"Retirement\u00a0 is an industry plagued with cybersecurity breaches. Everyone from recordkeepers to advisors are affected.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rixtrema.com\/blog\/cybersecurity-regulations\/\" \/>\n<meta property=\"og:site_name\" content=\"RiXtrema.com\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/LarkspurRiXtrema\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-17T12:46:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-25T17:32:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/rixtrema.com\/blog\/wp-content\/uploads\/2021\/08\/Cybersecurity-regulations.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"700\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@RiXtrema\" \/>\n<meta name=\"twitter:site\" content=\"@RiXtrema\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"4 minutes\">\n<!-- \/ Yoast SEO Premium plugin. -->","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/posts\/8801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/comments?post=8801"}],"version-history":[{"count":2,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/posts\/8801\/revisions"}],"predecessor-version":[{"id":8856,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/posts\/8801\/revisions\/8856"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/media\/8804"}],"wp:attachment":[{"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/media?parent=8801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/categories?post=8801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rixtrema.com\/blog\/wp-json\/wp\/v2\/tags?post=8801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}