Cybersecurity Checklist For RIA Firms
Each and every investment advisory firm should have an established cybersecurity policy that includes procedures to enact in the case of a breach. Here are the four main areas that should be covered:
Identify The Risks
Conduct an annual assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information.
Annually inventory of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment used by the firm.
Locate and identify sensitive data and identify on which device(s) the data is stored. Also record each and every employee that has access to the data.
Identify client information transmitted via email, cloud services, firm websites, custodians and other third party vendors.
Protect The Data
Establish authentication procedures for employee access to email on all devices (computer and mobile devices).
Passwords for access to email are changed frequently (e.g. monthly, quarterly).
Client instructions received via email are authenticated.
Due diligence has been conducted on the cloud service providers, custodians and other third party vendors and evaluated as to whether the they have documented safeguards against breaches.
All records are backed up and stored off-site.
Address data security and/or encryption requirements when transmitting information.
Detect Threats
Run anti-virus software on all devices accessing the firm’s network, including mobile phones. Anti-virus updates are run on a regular and continuous basis.
Make sure employees are trained and educated on the basic function of anti-virus programs and how to report potential malicious events such as phishing and ransomware.
Actively run reports on server and other databases looking for suspicious activity on a regular and continuous basis.
Prepare and Restore
Have a plan and procedure in place to immediately notify authorities and clients in the case of a security threat or breach.
Have a business continuity plan to implement in the event of a cybersecurity event.
Have a process for retrieving backed up data and archival copies of information.
Have employees follow the policies and procedures regarding the storage and archival, and the retrieval process to restore the information and data.