Tackling cybersecurity: How one firm got started
Our focus is helping our clients evaluate and integrate every single detail of their financial lives, and we do that with deep financial planning, wealth management, investment management. Our typical client has assets between, oh, 2 to 25 million. We have 715 clients and total assets under management of about 1.1 billion right now. We’ve done a lot of work on cybersecurity from the perspective of just, you know, evaluating the preparedness of the firm. It’s fairly new in the compliance world, and so my challenge when I first joined the firm was really just to evaluate the overall compliance program and make sure that we had all our ducks in a row, from the types of things that I was used to in my past.
Cybersecurity came barreling in fairly quickly after I joined the firm and was an area where I needed a lot of education, so we started out by having myself and my compliance manager both go to a conference, get some additional education. I think there were five cybersecurity sessions that scared us completely and made us sit up and take notice. And so, it’s a critical component of our compliance program now. We spend a lot of time developing our policies and procedures. We spend a lot of time analyzing our entire IT infrastructure to make sure that we have the virus software in place, the security in place that we’re doing all the right things from the perspective of due diligence on all of our partners, and our third party vendor’s done a lot of work there.
We haven’t had any instances (We’re very lucky in that case.), but our clients have. So, it’s been critical that our staff understand what to look for, how to be diligent. We do quarterly training with our staff. We’re planning on doing some phishing training so that they are being challenged and we can find out how much they’ve really learned, and we’ll be doing that soon. We’re also going to do our own sort of internal mock cybersecurity exam, taking the SCC checklist. We did that with general compliance. We’re going to do it again with cybersecurity this year and we’re also planning on having an external firm come in and evaluate everything that we’ve done to make sure that we’ve got everything on course.
We put out a newsletter recently to our clients talking about what we do and what they can do, and then we’re building that into the agendas of all of our client meetings to bring that to the forefront, to talk to our clients, make sure that they know that we take it seriously, and make sure that they know that we have plans in place in the event that something happens.
We spent a lot of time just reading and researching, utilizing Schwab as a resource with their compliance newsletter, and went to some of their compliance functions as well and just immersed myself in whole topic. As scared as I was of it, once you break it down into the different components and you try to work with your IT team, and you look at all of the logical things that you need to do, it’s not as overwhelming as you might think it would be. And so, we’ve spent a lot of time at our firm looking at all of our policies and procedures, building in checks and double checks, looking at our IT infrastructure, training our clients, training our staff, and really just putting as much into it as we possibly can, to be ready for any event that might happen. Hopefully, that doesn’t happen, but also just to be confident that we’re protecting our client’s information.