We all see the headlines these days with alarming frequency: cyberattacks against companies in all industries are occurring in greater numbers and with increasing severity. For financial services professionals, the threat is acute. Financial services organizations encounter security incidents three times more frequently than organizations in other industries and the total cost incurred by cybercrime is higher for financial services companies than any other sector. Independent investment advisors have largely escaped the devastating, headline-grabbing attacks other companies have faced—such as Target or Visa. However, regulators are focusing in more than ever to be sure that firms are implementing safeguards to ensure investors are protected.
Recent guidance from the Securities Exchange Commission (SEC) and Financial Industries Regulatory Authority (Finra) indicate that written information security policies and strong governance from firm management are essential. Whether mandated or not, a solid cybersecurity program is critical to mitigate cybercrime and fraud attacks. It will also help safeguard your brand and maintain confidence among your clients.
Cybersecurity planning is complex and multi-faceted. To be effective, plans must reflect a firm’s unique business practices, its procedures and its technology platforms. The planning process must also be fully supported by firm leadership and involve collaboration among appropriate stakeholders.
Yet as daunting as it can seem, there are proven structures for cybersecurity planning that can guide the process. Finra and the SEC each recommend—encourage, in fact—the use of basic standardized frameworks to get started. The National Institute of Standards and Technology (NIST) framework is one such structure firms can leverage to formulate a plan that will reflect unique areas of risk.
Exploring the planning process for the first time can be challenging given the volume of information available to advisors from the NIST alone. But there are essentially three key elements of the NIST framework. Understanding the basics of each is a good place to start.