Since the onset of the coronavirus, we have heard health officials emphasize time and again that the three most important steps for personal hygiene are hand washing, mask wearing, and social distancing.
Now, given the increasing frequency of cyber-attacks against financial advisers and broker-dealers, experts agree the three best ways to promote cyber hygiene are reviewing firm policies and procedures, implementing detection and prevention controls, and regular employee training.
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has observed a recent uptick in the number of cyber-attacks against member firms, some of which have resulted in the loss of client assets and unauthorized access to client information.
In particular, OCIE is encouraging firms to take preventative measures against what it says is the disturbing practice of “credential stuffing” - a method of cyber-attack in which people on the dark web are able to buy lists of email addresses, phone numbers, and people’s passwords. The dark web is a part of the internet that bad actors frequently visit because it is not visible to search engines and requires the use of special anonymizing software to access.
The Equivalent of a Cyber Vaccine is Available Now
Unlike the ongoing wait for science to develop a credible vaccine against COVID-19, financial advisors, broker-dealers, and individual investors can take steps today to thwart cyber pirates who relentlessly try to find a firm’s weakest link so they can plunder client accounts.
“Cyber hygiene should be top of mind for everybody, whether you’re an investment adviser or an individual,” said James L. Smith, Senior Compliance Consultant with Core Compliance and Legal Services.
“When you are an investment adviser or broker-dealer, you are busy running your business, and it’s easy to be distracted. Unfortunately, it is easy to let taking proactive steps in cybersecurity slide when you are focused on the everyday volatility of the stock market, managing assets, and answering questions from clients.”
Tips for Practicing Successful Cyber Hygiene
Smith says investment advisers can help protect against credential stuffing by running frequent penetration tests on their computer firewalls. This includes tests of outside internet-facing websites, testing of internal sites to ensure the security of information, and frequent testing of computer software to make certain patches are up to date. IT departments also should be wary and monitor for a higher-than-usual number of log-in attempts or failed attempts by those seeking account information.
Another often-overlooked best practice in a successful cybersecurity program is the need for firms to require multi-factor authentication from their clients.
“Essentially, advisors should set up a two-step requirement for clients to log into their systems,” Smith said. “Unfortunately, people often use the same password when they’re logging into multiple sites. The beauty of multi-factor authentication is that it regenerates an access code.”
Best practices in cyber hygiene include conducting periodic reviews of your firm’s policies and procedures and incorporating password standards consistent with industry best practice for length, complexity, and duration. There’s also a deterrent many individuals are aware of since they’re required on many different sites today – a CAPTCHA, an acronym for ‘Completely Automated Turing test to tell Computers and Humans Apart.’ It is a common response test used to help determine whether a computer user is a human or an automated script or bot.
But when it comes protecting your firm and client assets from potential cyber-attack, the best preventative measure is educating employees on an ever-growing list of cyber do’s and don’ts.
“The weakest link in any good cybersecurity program is the failure to revisit best practices with employees on a regular basis,” Smith said. “Employees should learn to understand the potential harm caused by phishing emails or malware. A firm should also run tests to see if employees recognize certain phone numbers or voices of senior management.”
Is Your Firm Cyber Secure?
In the SEC’s most recent Risk Alert to member firms on cybersecurity, OCIE advised firms to review and evaluate the sufficiency of their customer account protection safeguards and identity theft prevention programs. OCIE also encouraged firms to consider customer outreach regarding the implementation of safeguard measures.
Core Compliance offers specialized services related to running a cybersecurity risk assessment. “We can come in, take a look at an adviser’s program, and interview personnel,” Smith said. “We look at such aspects as a firm’s policies and procedures, the controls they have in place, and the vendors they’re utilizing to run their program. Then we can identify any gaps they may have and make recommendations to the firm on remedying these gaps and implementing best practices.”
Contact us today at 619.278.0020 or firstname.lastname@example.org to review your firm’s cybersecurity policies and procedures and cyber controls.