What’s your cybersecurity strategy? If a hacker set his or her sights on your advisory firm right now, would you be prepared?
According to a recent CNBC article, less than half of the businesses in the U.S. are equipped to handle cyberattacks. As a result, cybercrime cost the global economy over $450 billion in 2016. In addition to the financial cost, 2 billion personal records were also stolen.
As a financial advisor, you are entrusted with your clients’ most sensitive data every day, which makes you an attractive target for cyberattacks. Turning a blind eye to these threats is no longer an option. Failing to protect your clients’ information can lead to lawsuits, fines or other consequences from regulatory bodies, and loss of client trust.
But what can you do—especially if you are part of a small or medium-size firm with few resources? How can you build and run your business, provide service to your clients, and figure out if your cybersecurity is sufficient?
A solid first step is to learn about the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). This framework is a high-level road map to cybersecurity best practices and is recommended by the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA).
In fact, businesses that don’t comply with the standards in this framework could be fined heavily and without warning. For example, in 2016, the SEC fined Morgan Stanley Smith Barney LLC $1 million because they “failed to adopt written policies and procedures reasonably designed to protect consumer data.” And in 2015, the SEC censured and fined investment advisor R.T. Jones Capital Equities Management $75,000 for failing to “establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.”
In this series, we will introduce you to the NIST Cybersecurity Framework and show you how you can apply its concepts to increase your cybersecurity preparedness.
What you need to know about NIST’s Cybersecurity Framework
The National Institute of Standards and Technology is an agency of the U.S. Department of Commerce that provides national standards to “improve our quality of life.” NIST developed its Cybersecurity Framework to increase awareness about cybersecurity issues and help businesses increase their cybersecurity. By following the framework, businesses should be able to “develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
Becoming NIST-compliant can be a long and in-depth process, but we will try to give you a head-start by introducing you to the framework and suggesting first steps you can take.
The Cybersecurity Framework is a high-level document that outlines five core cybersecurity principles, 23 high-level processes, and 98 specific activities. That’s a lot to digest, so let’s start with the five core principles: identify, protect, detect, respond, and recover.
The first core principle of the framework is identify. This involves taking inventory of the following:
- What you do (a prioritized list of the services you provide).
- What you use (e.g., computers/software).
- Who you depend on, and who depends on you (e.g., people, outside companies).
- What your “treasure” is (e.g., data, processes, money).
You will use this information to create a cybersecurity policy. This policy will detail who is responsible for cybersecurity, how you will assess and manage your risk, what you will do if a cyberattack or breach occurs, and who will help you from the outside.
This policy and your inventory will help you manage risk by exposing what threats exist to your “treasure,” what vulnerabilities would allow these threats to take hold, what impact this would have on your company, and how you should respond.
The second core principle of the framework is protect. What are you protecting? That inventory of services, computers, people, and treasure you just identified. The most important things get the most attention. You can start by restricting access to your treasure, training your employees and yourself to recognize common cyberthreats, and regularly patching your systems. Remember to document what you do and the decisions you make.
The third core principle of the framework is to detect. This involves spotting strange activity on your systems. Some of this work can be done by an outside managed service provider (MSP), but much of it still requires you and your knowledge of your business.
Whether these processes are carried out by you or an MSP, you should keep documentation of your detection processes, monitoring processes, and any strange activity you detect on your systems.
The fourth core principle of the framework is to respond to any strange activity you may have detected. First, create a plan that details how you will respond to a cybersecurity threat and mitigate the damage done to your company. Once you have this plan, put the pieces in place that you need to follow through with your plan after an attack.
Next, conduct analysis and communications. This includes researching your response and support recovery activities and communicating with your staff and external sources such as vendors or stakeholders.
The fifth core principle of the framework is to recover from a threat. If the unthinkable were to happen, your business will be expected to learn from the incident, improve its processes, and rededicate itself to being prepared for threats. This may involve engaging a third party and significant time putting your business back in place.
How to start down the path to becoming NIST-compliant
Now that you know the five core principles of NIST’s framework, you may be wondering how these translate into an actionable plan that leads to a strong company cybersecurity posture. While this process will be ongoing and require constant maintenance, here are three steps you can take to jump-start it:
- Develop and get approval for a cybersecurity policy.
- Develop and deploy a process for managing the inventory of computers, services, and third parties that are essential to running your advisory firm.
- Develop and deploy a process for figuring out the threats that exist to your business, the vulnerabilities that would allow them to take hold, and the steps you can take to prevent them.
To learn more about each step and suggestions on how to carry them out, read the posts in our “Cybersecurity for financial advisors” series.