Advisor POV: How firms are tackling the challenge of cybersecurity
Ann Smith of Heritage Financial Services and Robert Ross of Sontag Advisory share what it took to get their firms' cybersecurity programs up and running.
As the saying goes, "The hardest part of any journey is taking that first step." In the area of cybersecurity planning, this adage rings especially true. On January 12, 2017, the U.S. Securities and Exchange Commission (SEC) announced that its 2017 examination priorities will include reviewing a firm's cybersecurity compliance procedures and controls as well as validating the actual implementation of those controls. This announcement has added to the growing pressure on advisors to demonstrate their efforts in establishing and maintaining their firms' cybersecurity programs.
It's no wonder that there are dozens of websites, tools, consultants, and resources available to help advisors take on the cybersecurity challenge. But, given the complexity and importance of the topic, the wide range of options and expert opinions can make it even harder to know where to begin.
We spoke to several advisors who've tackled the challenge head on and are well on their way to strengthening and formalizing their cybersecurity programs. Below are highlights from our discussion with two such firms, which share their experiences and ideas for kick-starting your efforts. This article is the first in an ongoing series to help you with your cybersecurity efforts.
Start with the basics
Ann Smith, chief operating officer and chief compliance officer at Heritage Financial Services, knows how overwhelming cybersecurity can seem. With little direct experience on the topic, she leveraged her years as a compliance and operations professional to guide her.
"My logical operational mind took me to the basics," Ann says. "I started with getting some training—attending several conferences and seminars. I spent a lot of time reading and researching, utilizing Schwab as a resource, and just immersed myself in the whole topic."
Armed with information, Ann first evaluated the firm's cybersecurity preparedness—analyzing its entire IT infrastructure and developing policies and procedures to reflect standards and controls appropriate and reasonable for her firm. She also reviewed its current due diligence process for vendors and third parties to ensure these partners were aligned with her firm's regulatory expectations.
I had very little experience in cybersecurity. It was very new and overwhelming, and I didn't know where to begin." —Ann Smith, CCO and COO, Heritage Financial Services
Ann knew that the "human factor" often poses the biggest risk, so she quickly focused on employee and client training. Because more and more clients were using technology in their daily lives, including emailing their advisors, it was clear that educating clients would be critical.
Whether during client meetings or through the firm's newsletter, the team began educating clients on the risk and actual techniques fraudsters use, along with the firm's policies and procedures for safeguarding client information and assets. They also shared how they would handle any type of fraud or data incident that might impact clients or the firm. Ultimately, this proactive approach demonstrated the firm's commitment to clients and reinforced how seriously everyone at the firm considered the threat.
As for Heritage employees, each staff member undergoes mandatory compliance training to ensure they can identify and understand threats, how to identify issues and know the protocols for guarding against them.
Today, cybersecurity is an important and integral component to Heritage's overall compliance program. Moving into 2017, Ann and her team will continue to examine the firm's cybersecurity preparedness, while engaging experts to help them take their efforts to the next level.
They've hired a third-party consultant to evaluate their current infrastructure, implement phishing tests to assess employee adherence to firm policies and procedures. They also performed a mock cybersecurity exam leveraging the SEC sample document request list from its April 2014 Office of Compliance Inspections and Examinations National Exam Program Risk Alert.
Cybersecurity can be overwhelming and complex, but if you start by educating yourself, as Ann and her team did, you can map out the timeline and tasks to reveal the light at the end of the tunnel.
"As scared as I was of it, once you break it down into the different components and work with your IT team, look at all of the logical things you need to do, it's not as overwhelming," Ann says.
Consider hiring an expert
Sontag Advisory, a New York City–based firm, began to ramp up its cybersecurity efforts in January 2015 by leveraging the SEC's April 2014 OCIE Risk Alert. According to Robert Ross, the firm's chief compliance officer, "With the advent of our technology upgrades, we began to recognize the business risk in having our data going to different technology platforms that weren't entirely housed on our own network."
They realized they needed to do a formal assessment of the firm's overall data security infrastructure and areas of vulnerability and to identify opportunities to strengthen its infrastructure.
Robert and his team began a year-long process of examining their cybersecurity program against the SEC's sample document request list. They established biweekly meetings with their team and an external technical consultant to complete the assessment and create an action plan to strengthen the firm's program.
Since January 2015, Sontag Advisory has implemented several changes, including a handful of low-cost solutions that have made significant improvements to its cybersecurity program. The firm has:
- Restricted administrative privileges on user machines to prevent any undesirable executable files from being installed.
- Disabled USB ports/CD drives on user machines to protect against the possibility of malicious code entering its network or the inappropriate/unauthorized downloads of data by employees.
- Implemented strict website filtering to prevent employees from accessing sites (e.g. social media sites, personal email, and Dropbox™ accounts) that present additional security risks to the firm.
- Segregated employee access to personal email and Dropbox accounts by setting up a separate portal on each employee's desktop that links to a server that is completely unconnected to the network. This allows employees personal Internet access, while protecting the firm from the threat of any data security breaches.
"These are the things we did 'pre-audit,' which even without doing any great changes to our network and not spending a lot of money, innately helped out security quite a bit." —Robert Ross, CCO, Sontag Advisory
Robert also hired an outside cybersecurity firm to: 1. conduct a full risk assessment of potential system weaknesses, 2. deliver regular employee training, 3. conduct phishing tests with employee reporting, and 4. perform ongoing monitoring of all network activity on employee machines and servers.
Following Sontag's initial efforts, particularly around employee training, Robert has seen employees retain what they've learned and become more skilled at assessing the possible cybersecurity risks they encounter, both at work and in their personal lives.
"We got great response from our staff on the cybersecurity training performed by our vendor," Robert says. "The reason for the great response was because the vendor came in and spent the first 45 minutes sharing horrific war stories about the effects of a cybersecurity breach. It really drove it home for people in their everyday life, and they were able to relate to it on an everyday level."
In December 2015, Robert received notification of a routine regulatory exam. Based on his experience, he knew that it would include a look into the firm's cybersecurity preparedness. Luckily, Robert and his team were well into their cybersecurity efforts by the time the exam kicked off.
"Since we were already undertaking efforts to build our program, we were fairly prepared by the time the exam came around," Robert says. "In the end, we had one very benign finding, which has since been addressed. Because we were already conducting extensive testing on our own systems, we were able to have some technology upgrades in process by the time we met with the regulators."
Resources to help you get started
We have a number of resources to help you learn more about cybersecurity, assess your firm's current efforts, educate your employees and clients, and develop a plan for strengthening your approach. Log in to Schwab's Cybersecurity Resource Center to explore our guided process and action-oriented tools for creating and maintaining a robust program.