Since early 2014, a growing spotlight has focused on the cybersecurity stance of RIA’s worldwide. Specifically, the SEC and FINRA have signalled their interest and demonstrated concern that firms are ill prepared in their defense efforts. In the past, many small and mid-sized RIAs have considered themselves to be too small to be of interest to cyber-criminals and have chosen to mostly ignore the threat, leaving themselves open to attack.
Just this week the Securities and Exchange Commission (SEC), announced that a St. Louis-based investment adviser (with approximately 500m AUM) has agreed to settle charges stemming from a 2013 breach event. The report found that the firm failed to establish the required cybersecurity policies and procedures, which ultimately compromised the personally identifiable information (PII) of approximately 100,000 individuals, many of whom were clients of the firm.
The SEC’s investigation revealed that the firm neglected to implement policies and procedures designed to protect sensitive client data. It also failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server and maintain a response plan for cybersecurity incidents - all of which are fundamental cybersecurity considerations. One may also note that in this case the reputational damage to the firm greatly overshadows the costs of remediation.
The report highlights the imminent risk facing all firms and disciplinary actions for those failing to comply. Regulatory agencies around the globe are quickly following suit, assuming a governance role designed to protect sensitive assets and far reaching implications associated with a security breach.
On the heels of the SEC’s report, the Central Bank of Ireland (CBI) issued a stern warning to firms failing to adopt recommended cybersecurity measures. Similar to the SEC’s initiatives, the CBI issued a 17-point best practice document and self-assessment questionnaire to its members. These documents were the result of a thorough assessment exercise conducted earlier this year. Many firms regard cybersecurity planning as exhaustive due diligence, but as the CBI suggests, firms must adopt 'a culture of security and resiliency’ to best defend against cyber attacks.
The flurry of activity from regulators this month emphasize that what was once a growing concern has become a perfect storm for firms around the globe.
eSentire has released an updated RIA Cybersecurity Matrix, a pragmatic security to-do list that helps firms define and achieve a cybersecurity strategy. Cybersecurity isn’t a “one size fits all” exercise. The Matrix compartmentalizes the concerns of funds, using a firm’s AUM as a rough guide. Recognizing that each firm operates within a different maturity model, the RIA Cybersecurity Matrix permits CTO’s to identify what is an appropriate cybersecurity response, and structure a proactive, methodical plan for what needs to be accomplished in the next year.
For well over a decade, eSentire has provided clients with award-winning and unparalleled tactical cyber defense from a variety of attacks. From active defense initiatives against the FIN4 group (13 months before it was described in the mainstream media) to in-depth analysis and tools to address the most recent SSL vulnerabilities, eSentire’s cybersecurity practice is unmatched within the Registered Investment Advisors community. As a member of the both the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the OASIS Cyber Threat Intelligence Technical Committee (CTI), eSentire remains on the leading edge of the threat landscape.
We pride ourselves on our reputation as the leading security advisor within the RIA market and to that end we’ve aligned with the regulatory associations driving cybersecurity change. eSentire remains committed to delivering essential programs that allow firms to stay ahead of governance recommendations and requirements.
In addition to the aforementioned Matrix document, we continue to receive great interest and gratitude for our freely-available and open-sourced Security Policy and Incident Response Frameworks, and our open-sourced big data Cyber Monitor offering, Cymon. In the coming weeks we’ll also unveil several new initiatives designed to help our clients weather this perfect cybersecurity storm while strengthening their security defenses.