7 Simple tips for Cyber-Security for Broker Dealers and RIAs
Written by Don Lee
Cyber-Security is a hot topic with the SEC and FINRA. Regulators have announced their examinations will include Cyber-Security and some will have a Cyber-Security exam on its own. But are you ready?
Here are 7 simple things you can implement right now to get started:
1. Create an inventory of your computer network. Include all computers, laptops, printers, servers and anything else connected to your network. Make sure your inventory has your operating system version and ensure all machines have current updates. Many firms use an outside IT vendor or consulting firm to maintain their network. The IT firm should already have this as part of their standard practice, if not, you may want to review them a little more carefully. If you don’t have an IT firm, simply create a spreadsheet with all of the machines on it. Have each person log on to their machines and check the windows settings to see what version you have an if you are up to date and log this in your inventory report.
2. Review the use of thumb/ USB/ jump drives in your organization. See if your reps or personnel are using these devices and if they are password protected. There are simple and effective password protected USB drives available for as little as $12 which is a great investment in the event the USB drives get lost and end up in the wrong hands.
3. Create a password policy on all computers. There are two things here: first you want to make sure that all computers, laptops, mobile devices and smartphones with email access are password protected. Second you want to make sure there is a password change policy. Typically most firms change passwords every 90 days. This change of password includes the computer access and the email access. This can be a bit of a pain to some, but is an effective measure.
4. Create a call back procedure for all money movement requests. The SEC announced a few years ago that there was an increase in email hijacking where impostors would send email requests for wire requests. This has gotten some firms in trouble who never verified the requests and sent funds out to the hijackers. A simple call back procedure reduces this risk.
5. Create a policy to password protect attachments with customer data. This is a very simple, easy and cost effective way of protecting your clients data. Most firms use Microsoft Office to send these documents or PDF. These tools have password protection features where you can password protect the document prior to sending it out. Remember you have to send the password, but never send it in the same email, send it in a separate email so that if the first email gets hijacked it wont have the password.
6. Create a Cyber-Security policy and procedure. This should be done with the help of your IT firm. For those firms that are using compliance consultants, most of them provide a draft format of these procedures that can be customized for your firm. For firms that don’t have consulting firm, try putting one together using the guidance set forth by the SEC and FINRA. This is important as the first things regulators request are procedures.
7. Third party Cyber-Security audits are on the rise and for good cause. Most firms are having independent third parties review their networks for vulnerabilities and obtain a report which is their starting point to get things fixed. These audits aren’t cheap and start at about $10,000. Firms should consider this even if its done one time because IT networks don’t change very often. One audit of this nature should last the firm for a little while unless changes are made to the network.
FinWebTech is a service as a software (SaaS) development company creating web applications to solve the growing needs of financial services firms. FinWebTech’s first product is Catalyst, an automated compliance solution for the securities industry. Catalyst provides firms with: Transaction Surveillance for AML and Suitability; Risk Assessments and Management; Supervisory Controls and Audit Logs, KYC, Document Repository and other tools to assist compliance departments manage their programs and reduce risk. Catalyst is priced to give small to medium sized firms access to compliance technology.
For more information on FinWebTech and Catalyst, please contact Don Lee at
email@example.com or 305-409-1307