Bruckenstein, Hamburger And Edelman Discuss Pressing Cybersecurity Issues In Assessments, Compliance, Vigilance, Insurance And The Zero-Trust Ecosystem
As the T3 Advisor and Enterprise Conferences and Orion Ascent approach quickly, all eyes across the industry turn again to wealthtech and how it enables us to improve in multiple ways. From CRM and compliance to marketing and money management, no industry player can ignore technology for long without losing a competitive edge.
One of the most crucial industry needs that wealthtech serves is cybersecurity. As cybersecurity threats continue to capture headlines in high-profile ransomware and data leak cases, intrusions continue to rise that threaten wealth management client data. An advisor’s simple data files are a treasure trove to cyberthieves.
The answer lies in technology-based solutions that defend against threats while responding to insurance and compliance needs.
Our Panel Of Experts
To learn more, we spoke with a panel of experts with extensive experience in technology, law, compliance and cybersecurity:
- Joel Bruckenstein, Publisher of the T3 Tech Hub and Producer of the T3 Advisor and Enterprise Conferences
- Brian Edelman, CEO of FCI
We asked each expert the following question:
Cyber attacks seem to be constant these days, and breaches occur with increased frequency. What are the top two cybersecurity items that firms should consider as they make their 2023 technology investments?
Their responses follow:
Financial advisory firms are still not taking cybersecurity seriously enough. The 2022 T3/Inside Information Technology Survey found that only approximately 20% of firms surveyed had engaged with a third-party cybersecurity resource, and we defined the term broadly.
Based upon my experience as a consultant, I suspect that well under 10% of independent RIA firms are fully implementing a vigorous, comprehensive cybersecurity program. As others in this roundtable suggest, the first step in preparedness is to regularly conduct a full cybersecurity assessment led by a third-party cyber expert firm.
Second, if you have cybersecurity insurance – and you should – it does not mean you are safe. Every cyber policy written today prescribes the steps a firm must take for a claim to be paid. Regular cybersecurity risk assessments are just one task firms must perform to be compliant with the terms of their insurance policies.
At the risk of stating the obvious, an insurance policy is a contract. It obliges each party to fulfill certain obligations. The advisor’s obligation does not end with paying the premium. If the advisor does not fully comprehend and fulfill all their obligations under the contract, the policy will not pay in the event of a breach or other insured incident.
Cybersecurity remains a perennial focus area for the SEC despite there being no SEC rules. The SEC recently confirmed it will focus on firms’ policies and procedures, governance practices, responses to cyber-related incidents, including those related to ransomware attacks, and RIAs’ compliance with Regulations S-P and S-ID, where applicable.
The focus on policies and procedures will include a review as to whether they are reasonably designed to safeguard customer records and information – both information residing in registrants’ systems and stored through a third-party provider – as well as whether the location of such records has been properly disclosed to the SEC, where required.
The SEC will also continue to look at firms’ practices to prevent account intrusions and safeguard customer records and information, including personally identifiable information, while recognizing that personnel may continue to access information in a remote environment. Additional focus will be on the cybersecurity issues associated with the use of third-party vendors, including registrant visibility into the security and integrity of third-party products and services.
In addition, the SEC’s focus will include a review of whether there has been an unauthorized use of third-party providers, particularly for transition assistance when departing RIA personnel attempt to migrate client information to another firm. Lastly, the SEC will continue to assess systemically significant registrants’ operational resiliency planning, such as their efforts to consider or address climate-related risks.
Brian Edelman, CEO, FCI
As cyber threats increase in numbers and sophistication, the need for robust cybersecurity measures in financial services becomes even more critical. This discussion covers two essential elements of a comprehensive cybersecurity strategy: completing a risk assessment from an independent third party and implementing a zero-trust ecosystem to protect applications, data, users, devices and networks.
A risk assessment is a critical first step in identifying and mitigating potential cybersecurity risks. Completing a risk assessment from an independent third party that understands cybersecurity regulations in financial services provides an objective and unbiased evaluation of the organization’s security posture.
This evaluation can help identify potential vulnerabilities and highlight areas where additional security measures are needed. It also helps identify areas where the organization is not meeting regulatory compliance requirements.
Cybersecurity experts confirm that siloed cybersecurity is no longer sufficient. The interconnected nature of applications, data, users, devices and networks necessitates the implementation of a zero-trust ecosystem. This holistic approach to security ensures that all components are protected comprehensively and cohesively, mitigating the risk of data breaches and cyberattacks.
These measures help financial services organizations identify potential vulnerabilities, meet regulatory compliance requirements and protect critical assets against cyber threats.
Julius Buchanan, Managing Editor at Wealth Solutions Report, can be reached at firstname.lastname@example.org