A recent Investment News article highlighted issues investments advisors face regarding their cybersecurity programs when it comes to regulatory examinations.
First; don't assume that your insurance policy covers the aftermath of a cyber-event. If you think you have coverage, make sure you document that understanding so that you do not have a shock when it is too late to do anything. A sound policy will cover, among other things, the costs of notifying your customers of a breach and the costs of technical support to close the gap.
Second; be certain that you have detailed written policies and procedures on cybersecurity, including what must be done in the event of a breach. These policies should also detail the known risks – such as working with third parties – and how the firm intends to address them.
Third; be certain that these policies and procedures are communicated to all individuals associated with the firm. Conduct adequate training on those policies, and emphasize the importance of diligence when it comes to cyber-awareness.
Fourth; you should use your cybersecurity as a way to market to your clients. Clients are well aware of these issues and want to have some sort of assurance if they are going to trust you with their money.
If you don't believe that this is one of your most important areas of focus, do nothing and see what your regulator thinks during your next exam. Worse yet, see what your clients think after a data breach when you scramble because you did not take steps before the breach to prepare for the worst.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
