In most financial planning firms today, nearly all business operations depend on some form of cloud-based technology or other data storage system. And given the sensitive and personal nature of client information that financial advisors are entrusted with and work with on a daily basis, reliable security measures need to be implemented to protect that client data, wherever it is stored. In fact, both the SEC and FINRA have increasingly recognized the significance of cybersecurity measures for financial planning firms in recent years, and offer extensive regulations, rules, and guidelines to ensure advisors effectively protect client and firm data against the vast expanse of malicious cyber-threats that attempt to steal valuable Personally Identifiable Information (PII) across the globe on a daily basis.
However, the rules and regulations around cybersecurity and identity theft can seem overwhelmingly complex to deal with, especially for financial planners who are sole proprietors or who work in smaller firms. As while larger firms have the staff infrastructure of dedicated IT and compliance teams, smaller practices don’t have this option and are often left to their own devices (or seek out consultants at additional compliance cost) to develop cybersecurity plans for their practices.
Even more problematic, though, is simply the fact that most financial planners became financial planners to be financial planners… not cybersecurity experts. And while most financial planners may know enough about computer systems and basic internet processes to manage their firms, few have an extensive background in IT sufficient to fully develop their own sound, yet manageable, cybersecurity plan.
In this guest post, Preeti Shah – herself the founder and sole proprietor of Enlight Financial, an RIA located in Matawan, New Jersey that works with physicians and business owners – shares her own 16-point cybersecurity plan that she personally developed, and how she boiled down the complex regulatory requirements of cybersecurity into practical categories of tools and systems to manage and implement on her own.
In practice, Preeti converted her cybersecurity requirements into a comprehensive checklist that includes measures to protect her email systems, ensure safe mobile technology practices, provide secure document storage and software solutions for use with her clients, maintain a secure physical working environment, and provide for an emergency plan in case disaster strikes.
Ultimately, the reality is that no cybersecurity plan will be perfect as cyberthreats continually evolve. Still, though, a work-in-progress framework that continues to evolve as each point is revisited and improved upon over time can help protect key data and demonstrate to regulators a good-faith effort to do so. And the reality is that financial advisors don’t need to be cybersecurity experts to implement a reasonably sound plan to better protect their clients’ and their firm’s confidential data… at least once their cybersecurity requirements are boiled down to more practical steps that can be implemented!