No advisor wants to think a cybersecurity breach could happen to them, but ignoring the possibility only increases the risk of exposure. Unfortunately, the registered investment advisor (RIA) industry is a long way away from being ”cybersecure.“ In fact, the SEC's office of Compliance Inspections and Examinations (OCIE) found in a sweep exam of RIAs that 74 percent had experienced cyberattacks either directly or indirectly through vendors.
Here are seven of the most common mistakes that advisors make when protecting their firms from unwanted cyberattacks and security breaches.
7. Not Budgeting Appropriately For Cybersecurity
Cybersecurity management requires commitment of time and resources. Unfortunately, many advisors fall short when budgeting for cybersecurity, which increases their firm's exposure to a potential breach. RIA owners need to consider cybersecurity investments as part of their firm's larger risk management budget, and as an investment in cost avoidance. Experience has shown that for advisors with some security measures already in place, a good rule of thumb is to consider their annual IT budget, and add on an additional 25 percent for cybersecurity protection—i.e., a business class firewall—in addition to ongoing training and policy management.
6. Delegating Full Cybersecurity / IT Oversight To Employees
RIA owners cannot afford to delegate cybersecurity and IT oversight entirely to their firm's resident technology expert. Cybersecurity threats are increasingly sophisticated, and the regulatory environment is evolving too. Ultimately, it is the RIA owner's responsibility when something goes wrong, so owners need checks and balances in place for their own protection.
Firm owners need to monitor how their IT policies and procedures are executed, and whether there are any insider leaks. Cybersecurity mistakes happen because of non-adherence to policy and when no one monitors what is happening. RIA owners need to know who is logging in to what, when and where, in the event of a cybersecurity breach. Employees can manage IT issues and functions, but procedures must be documented.