Over the past few years, several high-profile data breaches have hit major US corporations, including Target, Home Depot, and Equifax, bringing into sharp focus the need for individuals and businesses to protect and defend their personal data. And the matter is especially important for financial advisors, both given the importance of financially-related personal data in particular and the fact that the SEC and FINRA have been increasingly aggressive in enforcing against RIAs and broker-dealers with lax cybersecurity. And in fact, the SEC itself suffered their own data breach in 2016, despite numerous warnings from the GAO about potential security lapses.
Yet while keeping client data secure is an integral part of an RIA’s compliance requirements, there’s little explicit guidance from any regulatory body as to what, exactly, advisory firms are realistically expected to and need to do in order to meet those requirements.
Fortunately, there are steps that RIAs can take to develop, implement, and maintain a cybersecurity program that meets SEC requirements. In this guest post, Patrick Cleary, Chief Operations Officer at Alpha Architect, uses the concept of “brilliance in the basics,” a core tenet in the Marine Corps, to explain how paying attention to basic (but important) details, being proactive, defining the specific reasons why cybersecurity is so crucial, and (most importantly) avoiding complacency at all costs, is at the core of any successful cybersecurity program for an advisory firm.
And while historically financial advisors have had to choose between either outsourcing the task of building out a cybersecurity program, or trying to decipher a mountain of regulatory material that’s heavy on concept but extremely light on actionable information, Patrick details the specific steps that any advisor can take to develop a cybersecurity program. Starting with the National Institute of Standards and Technology’s (NIST) comprehensive Cybersecurity Framework, Patrick provides explicit step-by-step guidance that advisors can take to understand what it is that they should really be managing in the first place, how to develop proper safeguards for client data, how to identify a breach when it does occur, and what actions to take during and after any cybersecurity events.
While there are no silver bullets, or one-size-fits-all approach or solution, the key point is to recognize that, by using the NIST framework and Patrick’s actionable guide, advisors can put themselves in a much better position to protect their clients’ data as well as the viability of their businesses. So whether you are looking for a framework to develop a cybersecurity program, want to stay up to date with a constantly evolving and important aspect of practice management, or want to better familiarize yourself with the subject before talking to a third-party provider, then we hope you find this comprehensive article from Patrick to be helpful!