Without thorough and effective business continuity planning, a disruption of any size can affect your business’ productivity, bottom line, and customer satisfaction- but that’s not all.
In a recently proposed rule by the Securities and Exchange Commission (SEC), the SEC indicated that because of the fiduciary duty an adviser owes to its advisory clients to protect its clients’ interests:
“it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”
Under the proposed rule, you’ll be required to:
In fact, the proposed rule would prohibit a registered investment adviser from providing investment advice unless it had adopted and implemented a written business continuity plan and transition plan and such plan is reviewed at least annually by the adviser. According to the SEC, if “an adviser is unable to provide advisory services after, for example,…a cyber-attack…its temporary inability to continue operations may put clients’ interest at risk and prevent it from meeting its fiduciary duty to clients.”
“On the basis of these statements by the SEC, every BCP should include cybersecurity measures” – Kevin Scanlan
So now not only will business disruptions hurt your bottom line and your client relationships, but they could also result in consequences for SEC violations. That’s why robust Business Continuity Planning is more important than ever.
Our business continuity service features a range of necessary solutions, all for one low fixed monthly price per protected server. Key features of this service include:
For expert consultation on SEC rules, and robust Business Continuity Planning support, reach out to Brainlink at (917) 685-7731 or raj@brainlink.com right away.
downloadDavid Edwards, President, Heron Wealth started the discussion by sharing his journey. David started his career in systems at Morgan Stanley, so he knew how to use and manage IT well. Two years ago, he realized that he could no longer manage the IT and compliance issues for his firm by himself, so he engaged Raj Goel and Brainlink International to manage the onsite IT and improve cybersecurity at Heron. He also engaged Craig Watanabe, Senior Compliance Consultant, Core Compliance & Legal Services to implement training for Heron staff.
Over the past 24 months, Heron has had:
He reminded the audience about the story of two hikers encountering a bear in the forest. “You don’t have to outrun the bear to survive – you just have to outrun the other hiker!”
Per David, the key risks that firms need to worry about are:
6-Month Cybersecurity Action Plan (developed by Raj Goel/Brainlink for Heron Wealth)
By working with Brainlink and implementing a multi-layer defense for his firm, David has established Heron Wealth as a leader in cybersecurity and is routinely featured in financial planning and wealth advisor magazines as well as conferences as a proactive thought leader.
Craig Watanabe focused on the HUMAN ELEMENT of cybersecurity.
User training is critical.
He recommends IN-person training – 1-hour training at the start of the year, then short monthly reminders.
The entire panel agreed that using web-based training or CBT systems is a waste of time.
Craig told the story of a friend who used to work at Sony Pictures. Sony’s cybersecurity training consisted of having people watch online videos/courses, then answer a few multiple questions. Most people started the training, let it play in the background while they did “real” work and then guessed at the answers.
THIS IS NOT EFFECTIVE TRAINING – this is a waste of time & money.
He strongly emphasized that focused, short, in-person training delivers higher ROI than other methods.
Craig also emphasized this his firm trains employees not only in securing corporate IT systems, but also in protecting their home equipment. Raj jumped in with Brainlink’s approach, which focuses on 360-degree threat analysis and training. It does a firm no good to train staff at work, and send them home to defenseless, infected systems. Both Raj & Craig strongly recommend training staff to implement strong cybersecurity at home as well as the office.
Two Factor Authentication
All three panelists agreed that passwords are your weakest link. Using simple or weak passwords is poor security practice.
All three panelists urged the audience to adopt two-factor authentication.
Brainlink uses (and recommends):
The INCIDENT RESPONSE panel had some good advice as well:
If you host on AWS, read AMAZON SOC2 report, make notes & comments in the margins. Put marked up the document in your vendor file. Review contracts. For one RIA, their administrators didn’t perform a critical function for 3 months and didn’t notify the client. Administrator thought it was amusing, RIA saw it as firm-ending.
Another firm went through the SEC exam – you’re not as good as your best exam or as bad as your worst exam.
Many vendor contracts limit liability to contract fees – that’s unacceptable.
Vendor due diligence visits – visit their HQ, not their sales offices. Do at least one onsite visit and then determine how often it’s appropriate.
Don’t count on your vendors to pay for the breach & screwups. Liability is your responsibility. Review your vendor’s SLA limits – how fast after an outage can they get you back in business?
Raj’s Top 7 Action Steps
Brainlink clients enjoy success, security practices they can rely on and a competitive advantage in their industry because we know the cybersecurity industry better than most. Brainlink helps firms by:
TRAINING RESOURCES TO SHARE WITH YOUR STAFF, INTERNS, SPOUSE & KIDS:
To that end, Raj recommends sharing the following slides & videos with your staff:
Protecting Your Business & Your Family:
https://www.brainlink.com/wp-content/uploads/2016/04/2016-04-20-RajGoel_BOMANY_v1b.pdf
Lessons Learned From Hurricane Sandy
http://www.slideshare.net/rajjgoelny/20130923asis59rajgoellessonslearnedfromsandyv1d
Ransomware Warning Email
https://www.brainlink.com/when-your-computer-has-been-taken-hostage-what-to-do-about-ransomware/
Social Media Awareness Training
https://www.youtube.com/watch?v=HpOg1Sgmpok
NASCAR & Ransomware
https://www.linkedin.com/pulse/ransomware-just-put-nascar-team-blocks-could-attack-stall-raj-goel
To learn more, visit www.brainlink.com/IAWATCH/ right away. To talk to Raj, reach out at (917) 685-7731 or raj@brainlink.com
download
The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has listed cybersecurity as a key focus area in its 2015 risk-based assessments.
The addition of cybersecurity as a 2015 OCIE priority comes on the heels of the April 2014 release of sample cybersecurity questions OCIE stated it may use in conducting examinations of registered entities regarding cybersecurity matters. On February 3, 2015, OCIE then released summary findings from its Cybersecurity Examination Sweep. Brainlink’s team is assisting clients in creating Written Information Security Policies (WISP) and conducting WISP Audits of existing policies.
Anyone or company that has access to client or employee information needs to ensure they implement the appropriate level of administrative and technical safeguards. Additionally, anyone or anything with access to your confidential information needs to have preventative measures in place for protecting confidential data.
A Brainlink created Written Information Security Policy (WISP) details the policies and procedures for ensuring confidential data is protected, how it’s being protected and who is ensuring it’s protected.
It includes Administrative and Technical Safeguards. Administrative Safeguards:
Reach out to Brainlink at (917) 685-7731 or raj@brainlink.com today to schedule your security assessment.
downloadAs a member of the financial industry, you never stop worrying — even just a little — about the SEC Office of Compliance Inspections and Examinations (OCIE). Their cybersecurity exam sweeps are detailed, intensive, and constantly updating to keep up with changes in the industry.
downloadGiven the ever-evolving range of cybercrime dangers that threaten your firm on a daily basis, it has quickly become evident that cybersecurity can’t be ignored.
downloadThis Data Breach Incident Response Plan provides the plans, procedures and guidance for the handling of data breach events at our office(s), or via any of our servers or mobile devices.
The plan encompasses procedures on incident response engagement and how the incident response team will communicate with the rest of the organization, with other organizations, with law enforcement and provides guidance on federal and local reporting notifications processes.
downloadFinancial Industry Regulatory Authority(FINRA) released a checklist last year — based on the national institute of standards and Technology’s (NIST) cybersecurity Framework, and the SRO’s Report on Cybersecurity practices– which is made up of five key questions to help your firm analyze its security:
downloadThe Security and Exchange Commission has released its first Investment Management Guidance Update in nearly two years, noting that “because funds are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses”.
A key factor in the update is that specified registrants are now required to use independent contractors for certain types of cybersecurity testing, ensuring that the focus is kept on enterprise risk management and governance:
These proposed modifications are aimed at enhancing the ability of regulated entities to tailor cybersecurity programs and policies to counter their own particularized risks and threats, focusing on a number of areas including Written Policies, Employee Training, Board Involvement and more.
But, at the end of the day, you just want to know what this most recent update means for your wealth management firm. These are the questions you need to ask yourself:
Written Policies and Implementation
Division of responsibilities between IT and Compliance
Board and C-Level Involvement
Litigation Exposure
Employee Training
What topics are you focusing on?
Not sure about how to answer these questions? Brainlink will help.
For more information about SEC OCIE Guidance and what the recent updates mean for your firm, reach out to Brainlink right away at (347) 460-2238 or raj@brainlink.com.
downloadRaj Goel, CISSP
Chief Technology Officer, Brainlink International, Inc