The U.S. Securities and Exchange Commission takes protecting clients’ data seriously.
In August, the SEC ordered eight financial firms to pay a combined $750,000 in fines for shortcomings in cybersecurity protections that led to client data being exposed over a four-year period.
The firms were charged with violating the so-called Safeguards Rule, which requires registered broker-dealers, investment companies and investment advisers to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
“Broker-dealers and financial institutions have been led to believe that the only time that they will be questioned on their cyber policies is when there is an exam. The reality is that the regulators have been doing a magnificent job and making it very clear that financial institutions must take cyber seriously,” says Brian Edelman, CEO of FCI Cyber, a cybersecurity automation platform.
How the SEC Examines Cybersecurity Programs
The SEC’s Division of Examinations, formerly the Office of Compliance Inspections and Examinations, has identified the features of an effective cybersecurity program:
- Senior-level engagement: It starts at the top of the organization. Senior leadership sets the strategy and oversees the program.
- Risk assessment: Executives conduct risk assessments to identify, manage and mitigate cyber risks relevant to the organization’s business.
- Policies and procedures: Financial institutions adopt and implement comprehensive, written cybersecurity policies and procedures.
- Testing and monitoring: Organizations establish comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis.
- Continuously evaluating and adapting to changes: Effective programs respond promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses.
- Communication: Effective programs establish internal and external communication policies and procedures to provide timely information to decision-makers, customers, employees, market participants and regulators.
This is merely guidance, and the effectiveness of any cybersecurity effort is judged by how it protects customers and other stakeholders from data breaches and hacks.
What Advisers Can Do to Improve Their Cybersecurity Programs
Edelman suggests three actions advisers can take immediately, if they haven’t done so already, to enhance the cybersecurity at their institutions:
- Appoint a chief information security officer: This executive has ownership over the organization’s cybersecurity program. “The easiest way to tell if somebody is in compliance or not is to see whether or not they have a chief information security officer,” Edelman says.
- Draft an information security policy: “We’re now seeing financial institutions ask about information security policies of other financial institutions before they will do business,” Edelman says.
- Enable multi-factor authentication on all company devices: This common practice limits access to sensitive customer information and can curb data breaches.
“We’re seeing a lot of companies adopt these policies organically in the market,” Edelman says. “The end result is that, if we follow the instructions laid out by the regulators, we will have a cyber-secure financial market. If we don’t, we could lose trillions of dollars to bad actors.”
Ebix SmartOffice, a customer relationship management solution, can help financial advisers enhance their cybersecurity through multi-factor authentication, preventing network access from unknown users, and identifying all devices on a network.
Continue the Cyber Security Conversation!
Live Webinar with FCI's Brian Edelman
Join Brian Edelman, FCI CEO, for an overview of the vital role evidence plays in achieving cybersecurity compliance.
Wednesday, Oct. 20 - 1pm EDT / 12pm CDT / 10am PDT
