Broker Dealers and Registered Investment Advisors (“RIAs”) live in a time of data threats from all angles. The financial services industry is faced with many unique requirements for storing sensitive client data for extended timeframes, and by doing so, the industry has become a primary and lucrative target for scammers. The following practices help ensure that access and data integrity is controlled and tracked properly. Cybercriminals are constantly developing new ways to infiltrate systems, and the only way to mitigate the threat is to keep evaluating what your broker dealer or RIA can control and improve what it cannot control with technology and best practices.
Understand Vendors and Access Points
Understanding who, how, and when users can access data is an essential front-line defense. Your broker dealer and/or RIA is strongly encouraged to create a comprehensive vendor list which details all potential breach vulnerabilities at your firm. This not only helps regulate access permissions/levels applicable to roles, but it also provides easy points of inactivation and tracking when needed.
Email Encryption (Barracuda, Mimecast, NordVPN, Microsoft 365 Message Encryption, etc.)
Many common public email servers use weak end-to-end encryption, and it is only effective if both the sender and receiver endpoints both use message encryption. More than ninety percent of malware attacks originate from emails combined with click-happy users. The bigger message is that rather than using uncertain systems, a safer alternative employs a fully encrypted transmission system, an access portal to house message content and files, and end-point security software.
Third-Party Data Sharing Portals (ShareFile, Egnyte, Box, etc.)
There are multiple FINRA approved third-party data sharing portals on the market today. While it is true that an extra step of logging into another website or application can be cumbersome, avoiding the headache of data loss is worth it. Additionally, users will not have to worry about file size limitations or password protecting attachments as one would if transmitting by email. The added cost and effort are well worth the investment for your broker dealer and the client.
Password Security
Password security is critical to overall data security. Access points are only as good as password and multi-factor authentication practices. This past year, IBM’s security team reported that almost a quarter of all breaches were the result of compromised credentials. In the financial services industry, there is an endless number of daily logins and passwords to manage. Best practices include:
- No texting, emailing, or instant messaging of passwords among users
- Make passwords unique, complex, and regularly changed
- Use multi-factor authentication (MFA/2FA) when possible
- Avoid password managers, auto-storage of passwords, post-it notes, or Google Docs
Cybersecurity Insurance
Understanding the various situations that a cybersecurity insurance policy will or will not cover can help your broker dealer and/or RIA firm design an efficient and comprehensive cybersecurity program customized to your firm’s needs. Just as important are the available recovery assistance services. Reading and understanding the fine print is key to accessing overall benefits; cybersecurity insurance is not effective if the claim is denied due to inadequate security practices.
Every firm in the financial services industry has an obligation to ensure data security for its firm and clients. Multiples resources exist that help place barriers between the data and the villains. Consult with your internal IT staff or managed service provider (“MSP”) to assess if any systems are at risk and what could be proactively implemented to prevent the unthinkable.
Securities Compliance Management, Inc. (“SCM”) is sending this communication as a reminder to all broker dealers and registered investment advisors to consider the importance and relevance of each area discussed and how it may or may not apply to your firm’s business. Please contact SCM here to speak to a professional compliance consultant who can assist your broker dealer with training of staff, updating procedures, or guide procedure implementation.