Cybersecurity “chat” from Sonja Rae @ RIA-CCO ~
As taken directly from the SEC’s website cybersecurity is of utmost concern in our industry. Yes we know…. That’s a given!
“As markets grow more global and complex, so too are the threats through cyber intrusion, denial of service attacks, manipulation, misuse by insiders and other cyber misconduct. In the United States, aspects of cybersecurity are the responsibilities of multiple government agencies, including the SEC. Cybersecurity is also a responsibility of every market participant. The SEC is committed to working with federal and local partners, market participants and others to monitor developments and effectively respond to cyber threats.”
Encryption helps protect sensitive information from access from unauthorized third parties while the information is “in transit” (via email) or “at rest” (stored on a laptop computer’s hard drive). I’ve seen firsthand that Cybersecurity is addressed during regulatory examinations, by both state regulators and the SEC. RIA’s should understand, at a minimum, two main parts of encryption:
Electronic communication: In its April 2019 risk alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) noted the deficiency that many firms did not appear to have policies and procedures reasonably designed to prevent employees from sending unencrypted emails to clients containing personally identifiable information (“PII”).
Some firms may choose to only use a secure client portal to share sensitive information with clients while other firms may prefer to use secure, encrypted email, or a combination of both methods. One of the most common solutions we have seen RIA firms use for secure email is ShareFile (a division of Citrix). Whether a firm utilizes ShareFile or another similar software, encrypted email systems generally require the recipient of the email to pass through a verification process before being able to access the email’s contents.
Device protection: RIA’s should use encryption technology to protect sensitive information held on all company devices. “Full disk encryption” is the process of securing the contents of the computer’s hard drive. There are many encryption solutions available and ideal for RIA’s. Microsoft Windows and Apple operating systems already have built-in encryption tools explained below:
BitLocker: An encryption feature included with Windows versions beginning with Vista. It is included in the Windows 10 Professional and Enterprise versions.
FileVault: An encryption feature included in the Apple operating system.
I recommend that firms consult with an experienced information technology provider before installing encryption methods; there are number of things to consider. I am not an expert in this arena, however I have worked hand-in-hand with firms that are. RIA’s should ensure that a full, secure data back-up process is implemented, and all data recovery keys are properly stored before implementing encryption technology.
Keep in mind, the encryption processes should be used, among other data security measures such as a implementing a virtual private network (“VPN”) and firewall. Employees should be required to set computers to automatically screen-lock. Protecting sensitive client information requires a strong cooperation of both the firm’s employees and technological defense measures by industry experts in Cybersecurity.
If you are interested, I have created a basic RIA Cybersecurity checklist, email me at [email protected] and I’ll pass it along…
Have a great Tuesday!