Journal of Financial Planning: April 2019
Brian Edelman is a nationally recognized cybersecurity expert specializing in the financial services industry. He is CEO of FCI, a managed security service provider that offers cybersecurity solutions for financial services firms. He is also the FPA Coaches Corner coach for cybersecurity.
Today’s cyber environment has cultivated a perfect storm for financial planners. The timing and velocity of cyberattacks combined with an increase in regulation requires more than just a defensive posture. To be successful in 2019, financial planners need to be proactive, not reactive by default. It all starts by implementing basic cybersecurity tools and protocol, then architecting a modern cybersecurity framework around it—one that satisfies current laws and provides clear, documented evidence of enforcement.
At the time my company began managing cybersecurity in 1995, cyber incidents looked a lot different. Today, cyber threats come from all areas of the globe and a host of bad actors. One cyber incident can bring down an enterprise. The reputational risk alone creates a negative multiplier effect of losing clients, licenses, and the cooperation from regulators when a firm is ill-prepared. The good news is playing the cyber offensive is relatively easy with these five tips for success:
Use Multi-Factor Authentication
Financial services firms that adopt multi-factor authentication (MFA) require a user to provide more than just a password to access a network. An example of MFA is logging into a website that sends a numeric code to your phone in order to grant access to your account. The technology is simple and does not require one to be a computer genius to use.
Employ Data Loss Prevention Tools and Settings
Data loss prevention (DLP) tools and settings are critical for regulatory compliance and safeguarding your client’s data. Firms should already be using antivirus protection, encryption, and screen locks. Antivirus subscriptions protect multiple devices. Furthermore, encryption and lock screens on a cell phone are simple to use, inexpensive, and easy to enforce.
Printed Cybersecurity Policy and Practice Drills
Most firms have a cybersecurity policy, but only a small percentage print them and run cyber practice drills. A hard copy of the cybersecurity policy enables immediate access should a firm’s network become compromised or inaccessible. Running practice drills ensures everyone understands their role and responsibility for the firm’s cybersecurity policy.
Build a Cyber Dream Team
On a previous FPA Coaches Corner webcast, we explained how to build a cyber dream team, roles, and responsibilities (access this webcast at OneFPA.org/CoachesCorner and click on “cybersecurity”). An ideal team, for example, is comprised of your firm’s chief information security officer (CISO) and a cyber expert. A cyber expert is formally trained in cybersecurity and incidence response planning and should have a deep understanding of the regulations.
Documented Cybersecurity Evidence
One of the most important functions is generating proof and evidence for the regulators. Without it, no one (including the cyber insurance company) will believe a firm is in good order. Various cyber documents, such as a written information security policy, or WISP, and cyber asset audit report, create the body of proof. These documents should also be printed in case the system is compromised.
Playing the cyber offensive will position financial planners operating under a fiduciary standard for success, whereby acting in a client’s best interest forms the basis of the client relationship.
This is an excerpt from the FPA Coaches Corner white paper, “Make 2019 Your Year: Business and Career Tips to Get the Most Out of 2019.” Access the complete white paper at OneFPA.org/CoachesCorner.