Cybersecurity Checklist For RIA Firms

Each and every investment advisory firm should have an established cybersecurity policy that includes procedures to enact in the case of a breach. Here are the four main areas that should be covered:

Identify The Risks  

  • Conduct an annual assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information.  

  • Annually inventory of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment used by the firm.   

  • Locate and identify sensitive data and identify on which device(s) the data is stored.  Also record each and every employee that has access to the data.  

  • Identify client information transmitted via email, cloud services, firm websites, custodians and other third party vendors.  

Protect The Data  

  • Establish authentication procedures for employee access to email on all devices (computer and mobile devices).  

  • Passwords for access to email are changed frequently (e.g. monthly, quarterly).  

  • Client instructions received via email are authenticated.  

  • Due diligence has been conducted on the cloud service providers, custodians and other third party vendors and evaluated as to whether the they have documented safeguards against breaches.   

  • All records are backed up and stored off-site.  

  • Address data security and/or encryption requirements when transmitting information. 

Detect Threats  

  • Run anti-virus software on all devices accessing the firm’s network, including mobile phones.  Anti-virus updates are run on a regular and continuous basis.  

  • Make sure employees are trained and educated on the basic function of anti-virus programs and how to report potential malicious events such as phishing and ransomware.  

  • Actively run reports on server and other databases looking for suspicious activity on a regular and continuous basis. 

Prepare and Restore  

  • Have a plan and procedure in place to immediately notify authorities and clients in the case of a security threat or breach.  

  • Have a business continuity plan to implement in the event of a cybersecurity event.  

  • Have a process for retrieving backed up data and archival copies of information.    

  • Have employees follow the policies and procedures regarding the storage and archival, and the retrieval process to restore the information and data.