A lot of RIA firms have, in recent years, spent heavily on new technology to protect themselves against cyber attacks. But sometimes they use more money than sense, a panel of speakers at the Investment Adviser Association's compliance conference said.
“Spending the money alone is not the solution,” said David Glockner, director of the Securities and Exchange Commission’s Chicago regional office.
Glockner said it was frustrating to see firms spend money on systems they weren’t using properly. “They thought they were way more secure than they really were,” Glockner noted.
“The tool is only one part of the solution. You really need to have the people or services behind it that know how to use these tools,” says Gerald Stegmaier, a partner in Goodwin Procter’s privacy & data security and technology company practices.
Tom McLain, senior vice president and chief information officer at Old Mutual Asset Management, said firms needed to do a better job of vetting the outside vendors they were using to protect their systems, both before they are hired and then on a regular basis thereafter. Glockner added that the firms are ultimately responsible for any breaches or weaknesses in cyber protection, not the vendors.
“Are firms thinking about whether the transaction request is anomalous in certain respects? Do they have a software tool that assigns risk scores to a particular request or transactions? Are they actually looking at those risk scores and acting on them?,” Glockner says. “Firms ought not assume that any particular customer contact is genuine.”
Stegmaier recommends firms have a written response plan ready for a potential breach. Even if they don’t use it exactly when an attack occurs, creating one will help keep staff informed of the requirements. For example, in California and Florida firms are required to notify regulators if clients’ email and passwords have been compromised.
“Even if your plan isn’t great, if you know who to call…that’s a really valuable thing to have.” Once a firm has a plan, the staff need to go through tabletop exercises. “There’s no better way to know if your plan will work than to once a year war game it,” he says.
“Thinking as a regulator, if I came in and saw that you had the best policies in the world or the best technologiy in the world, but the relationship between that and what you actually do were divergent, that would cause me to grouse and get cranky,” he said.