Hi, I'm Adam Moseley with Schwab Advisor Services. In my role as a technology consultant and operations, I frequently hear from clients how important it is to be vigilant in protecting their data.
I'm often asked about best practices that can help firms effectively defend against cyber threats. In my 20 years in this business, I've seen first-hand how hard you've worked to grow your firm and gain your clients' trust—and I believe a strong cybersecurity program is essential to helping you protect both.
A strong cybersecurity program combines a documented strategy, a solid security infrastructure, and a culture of protection across all stakeholders.
I'm excited to introduce the five steps we've designed to guide you as you build, strengthen, and maintain your firm's cybersecurity program.
Let's start with setting the stage for success.
You'll want to start by gaining a deeper understanding of the cybersecurity and regulatory landscape to determine what your program should include. And perhaps most critical, take inventory of your firm's hardware, software, vendors, and third parties and data to identify each of the elements you need to protect.
Next, conduct an in-depth assessment of what you're doing today to protect your clients' information. This will help you identify potential areas of weakness that could be leaving your firm vulnerable to cyber threats. Now, as you uncover security gaps, document the actions you plan to take to mitigate or eliminate them.
With your completed assessment in hand, it's time to create a detailed action plan. This should include a prioritized list of activities that you've defined for enhancing and maintaining your cybersecurity program along with assigned owners and target completion dates for each action item.
With your plan in place, you're ready to move forward to implementation and documentation. One thing I can't say enough of is—documentation is key. As you're executing your action plan, whether you're creating new processes and procedures, bringing in new technology, or engaging with an external vendor or third party, it's important to create the appropriate documentation for each action.
Communication will be critical to creating lasting change across your firm. For larger firms, this means providing regular updates to your leadership team, and informing staff of any changes to activities that require their compliance.
Finally, you'll need to establish ongoing maintenance to keep your plan current. Another lesson my years in this business has taught me is—change is inevitable. Establishing a process that keeps your cybersecurity program current will help you defend against any new risks your firm may face. Regular maintenance typically include testing, monitoring and auditing your data security processes; updating your inventory and conducting periodic risk assessments; monitoring the regulatory environment and industry trends; and providing ongoing staff and client training and education.
Strengthening your cybersecurity program is not a one-time event. Periodically performing these five steps will help you maintain your program and set you on the path to protect your firm against the growing number of cyber threats.
Congratulations on embarking on this journey to strengthen your firm's cybersecurity program.