Hi, I'm Adam Moseley with Schwab Advisor Services. In my role as a Technology and Operations Consultant I frequently hear from clients how important it is to be vigilant in protecting their data. I'm often asked about best practices that can help firms effectively defend against cyber threats. In my 20 years in this business, I've seen firsthand how hard you've worked to grow your firm and gain your clients' trust, and I believe a strong cybersecurity program is essential to helping you protect both.
A strong cybersecurity program combines a documented strategy, a solid security infrastructure, and a culture of protection across all stakeholders.
Our Cybersecurity Resource Center provides extensive guidance and support to help you shape and strengthen your firm's data security efforts.
I'm excited to introduce the five steps we've designed to guide you as you build, strengthen, and maintain your firm's cybersecurity program.
Let's start with setting the stage for success.
Before you invest your time and energy in strengthening your firm's cybersecurity policies and procedures, it's critical to establish a strong foundation for ongoing success. You'll want to start by gaining a deeper understanding of the cybersecurity and regulatory landscape to determine what your program should include. It's important to identify key stakeholders who will contribute to your efforts, as well as champion your firm's cybersecurity program. And perhaps most critical, take inventory of your firm's hardware and software, vendors and third–parties, and data to create a clear understanding of what you need to protect.
You can leverage our Take Inventory tool to create and maintain a record of these items. As seen here, you can download it directly from our Cybersecurity Resource Center.
Next, conduct an in–depth assessment of what you're doing today to protect your client's information. This will help you identify potential areas of weakness that could be leaving your firm vulnerable to cyber threats. Our Cybersecurity Assessment and Action Plan Workbook will walk you through the numerous areas you must evaluate during your assessment.
This tool is based on the National Institute of Standards and Technology Cybersecurity Framework and includes dozens of control statements covering key areas that are critical to a comprehensive cybersecurity program.
Now, as you uncover security gaps, document the actions you plan to take to mitigate or eliminate them.
Our Cybersecurity Reference Guide provides dozens of best practices that can help you with this step.
With your completed assessment in hand, it's time to create a detailed action plan.
This should include a prioritized list of activities that you've defined for enhancing and maintaining your cybersecurity program, along with assigned owners and target completion dates for each action item.
With your plan in place, you're ready to move forward to implementation and documentation.
One thing I can't say enough, documentation is key. If you've ever experienced any type of regulatory exam you know that one of the first communications you receive from examiners is a document request list. So, as you're executing your action plan, whether you're creating new processes and procedures, bringing in new technology, or engaging with an external vendor or third party, it's important to create the appropriate documentation for each action. Your action plan is likely to bring about change across your firm, possibly even a shift in culture. Communication will be critical to creating lasting change across your firm.
For larger firms, this means providing regular updates to your leadership team and informing staff of any changes to activities that require their compliance.
Finally, you'll need to establish ongoing maintenance to keep your plan current.
Another lesson my years in this business has taught me is that change is inevitable. Your business will evolve along with the industry and regulatory expectations. As you continue to strengthen your cybersecurity protocols, cybercriminals will also continue their attempts and develop new methods to breach your defenses. Establishing a process that keeps your cybersecurity program current will help you defend against any new threats your firm may face.
Regular maintenance typically includes testing, monitoring, and auditing your data security processes, updating your inventory and conducting periodic risk assessments, keeping up with the regulatory environment and industry trends, and providing ongoing staff and client training and education.
Our Cybersecurity Resource Center contains dozens of tools, including a handful specifically designed to educate your staff and clients.
Strengthening your cybersecurity program is not a one–time event. Periodically performing these five steps will help you maintain your program and set you on the path to protect your firm against the growing number of cyber threats. Congratulations on embarking on this journey to strengthen your firm's cybersecurity program. Thanks for watching.