the answer may surprise you…
I. Intro
So, the question isn’t have your systems been breached, the question is how often and are your procedures in place and employees adequately trained to identify and respond. Some say there are only two types of companies when it comes to Cyber Security, those that do not know their systems have been breached and those who do. Cyber-attacks are focused on all firms regardless of size or industry. Two out of three service providers to the CIA have been breached themselves. How would you rank your cyber security process: detection, prevention, and elimination?
II. State of the State
Cyber security is the number one risk among a majority of firm CEOs and CIOs polled. This is especially true in the financial services industry. From an RIA perspective small to mid-sized firms are targeted by cyber-attacks just as frequently as large firms. However, from a comparative standpoint the RIA industry is well below the B/D space as to those actually performing cyber security. Small to mid-sized RIAs lag even further still in not being proactive and preventative in cyber security, but the risks and liability are just as high (and potentially higher). Only 13% of RIAs know who were, or would be responsible, in the event of a cyber-attack. Only 9% of those had any sort of loss coverage/guarantee for clients. Well under 5% had any insurance related to cyber threats (and it is available). Further, an extremely high percentage. 865% if RIAs reviewed were not aware that they been subject to cyber-attacks – usually emails and malware intrusions: greater than 90% for B/Ds and around 85% for RIAs.
A high percentage of cyber-attacks are enabled by employees or internally accessed persons: most inadvertently, some intentionally. Cyber Security threats may not be able to be eliminated, but they can be identified and retained. Further, don’t be fooled by the fact you outsource your technologies, you are still liable as well as at risk.
III. Audit Risk: SEC and Regulatory Review
During 2014, the SEC cyber security sweep examined 57 broker-dealers and 49 registered investment advisor firms and found an alarmingly high percentage were not prepared. The 2015 exam priorities for the SEC and FINRA include Cyber security Sweep Exam, a deeper review of the firm’s Business Continuity, WISP and technology infrastructure, which includes proprietary and third-party technologies.
IV. Are You Ready?
How secure are your systems? Where are you most vulnerable? What is your security confidence level? Are you aware of where the liability resides? Cyber Security involves more than a myriad of systems and technology trying to work well together. It encompasses people, processes and a steady vigilance to monitoring and processing of both technology and human activity/interaction. All firms, regardless of their infrastructure are required to have a program in place to detect and prevent – and if outsourced, confirm that their vendors have a compliance program in place.
I. Action: Cyber Review Process
This is where RegMaven and our expertise provides the most value. We have deep expertise on both the security/systems side as well as the processing and regulatory side of financial services. With our Cyber Security review process, RegMaven will either compliment or confirm where your Cyber Security is (or is not), and ensure there is a diligent and constant process in place to detect, report and stop cyber-attacks as they inevitably appear.
We would like to offer the FPA MA a Cyber Security Webinar (and/or Event Presentation). This program would consist of a panel of industry experts (NSA, SunGard, John Hancock, ex-regulators) to review these real threats and regulatory exposure advisors face every day and strategies to address them.
Additionally we are willing to offer FPA MA members our Cyber Review program which includes a Compliance Assessment, Systems Vendor Review, as well as a Cyber Threat and Coverage Assessment at a substantial discount.
About RegMaven
RegMaven has assembled a team of compliance, systems and project management experts to assess a firm’s cyber security program. Our team draws on extensive industry experience including security and systems at the National Security Agency, executive roles at financial services providers such as Sungard and John Hancock, as well as deep and extensive time with FINRA, SEC and other regulatory bodies.
RegMaven was founded in May 2013. The company is located in Londonderry, New Hampshire and provides a complete suite of securities compliance services to Broker-Dealer and Registered Investment Advisor firms. Regulatory Maven delivers distinctive expertise and exemplary results. For additional information about Regulatory Maven please visit www.regmaven.com, info@regmaven.com or call us at 603.965.7791.
