Cybersecurity Checklist For RIA Firms

Each and every investment advisory firm should have an established cybersecurity policy that includes procedures to enact in the case of a breach. Here are the four main areas that should be covered:

Identify The Risks 

  • Conduct an annual assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information. 

  • Annually inventory of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment used by the firm. 

  • Locate and identify sensitive data and identify on which device(s) the data is stored.  Also record each and every employee that has access to the data. 

  • Identify client information transmitted via email, cloud services, firm websites, custodians and other third party vendors. 

Protect The Data 

  • Establish authentication procedures for employee access to email on all devices (computer and mobile devices). 

  • Passwords for access to email are changed frequently (e.g. monthly, quarterly). 

  • Client instructions received via email are authenticated. 

  • Due diligence has been conducted on the cloud service providers, custodians and other third party vendors and evaluated as to whether the they have documented safeguards against breaches. 

  • All records are backed up and stored off-site. 

  • Address data security and/or encryption requirements when transmitting information. 

Detect Threats 

  • Run anti-virus software on all devices accessing the firm’s network, including mobile phones.  Anti-virus updates are run on a regular and continuous basis. 

  • Make sure employees are trained and educated on the basic function of anti-virus programs and how to report potential malicious events such as phishing and ransomware. 

  • Actively run reports on server and other databases looking for suspicious activity on a regular and continuous basis. 

Prepare and Restore 

  • Have a plan and procedure in place to immediately notify authorities and clients in the case of a security threat or breach. 

  • Have a business continuity plan to implement in the event of a cybersecurity event. 

  • Have a process for retrieving backed up data and archival copies of information. 

  • Have employees follow the policies and procedures regarding the storage and archival, and the retrieval process to restore the information and data.