Now that you understand why you need a cybersecurity strategy how to create your cybersecurity policy, and how to create and manage your firm’s inventory, let’s explore the third step you can take to jump-start your cybersecurity strategy: identifying and creating a process to manage your advisory firm’s cybersecurity risk.
Note: Before you can begin managing your cybersecurity risk, you need to create your cybersecurity policy and inventory. If you haven’t finished these steps, you won’t have the necessary pieces in place to manage your cybersecurity risk.
What is a cybersecurity risk management process?
A cybersecurity risk management process documents the way that you will identify, rank, and address risks to your business from cyberattacks. This document should be updated regularly.
Who creates the process?
You will need to designate a “cybersecurity manager (CSM) or cybersecurity officer (CSO)” for your firm. This person will work with stakeholders to pull together the content of the cybersecurity risk management process, get it approved, and keep it up to date.
How to start
Before we dive in, let’s go over some quick definitions:
- Risk is a measure of the chance that something bad might happen.
- A threat is a person, circumstance, or event that could make that bad thing
- A vulnerability is a weakness that would allow that thing to happen.
Since you now know your inventory, you can begin to determine your risk exposure by looking at threats and vulnerabilities. You should assess your risk methodically, starting from your most critical inventory and then moving to the least critical. Ask yourself the following questions:
- What bad things could happen?
- How likely is it that these things could occur?
- What are the consequences if they do occur?
- What can I do to reduce the risk of them happening?
Resources that can help you identify and assess risk
In some cases, it may be necessary for an advisor to get help in the form of an outside IT company, but in most cases, you simply need to have a good understanding of what can happen in the context of your business and what the consequences would be.
A great way to keep up on threats to the financial-services industry is to subscribe to the Financial Services Information Sharing and Analysis Center (FS-ISAC). This service offers daily alerts and provides a collaborative community that may be able to help you to understand vulnerabilities.
Depending on your business, you may have the capabilities in your firm to assess the risk to your more technical systems (database, the cloud, your website), but it is more likely that you will need to employ the services of a third party to conduct a vulnerability assessment or penetration test.
After compiling a list threats to your business and the vulnerabilities in your systems that may allow the threats to be realized, you should rank those threats according to which assets they threaten (critical or noncritical) and according to their consequences. For example, the consequences of a hacker learning client names are much less serious than the hacker learning client Social Security numbers and banking information; therefore, you should focus more of your time and energy on making sure the latter threat is not realized.
At this point, it is important to engage upper management, executives, and owners to determine their risk tolerance—how much risk they are willing to accept. This will determine how you will manage the risks you have identified in your assessment.
Now that you have a list of threats to your inventory, vulnerabilities you have detected, consequences, and a ranking of the threats from most to least critical, you must manage these lists. This means that you should go through your list with the appropriate stakeholders to formulate a plan for each threat from most to least critical. You may need to employ outside help to suggest appropriate actions.
After you have agreed, act upon your agreement and make sure to repeat this process at least once a year.
Key takeaways from the Cybersecurity for financial advisors series
We hope this series of articles has empowered you to take control of your advisory firm’s cybersecurity strategy! Remember:
- Failing to protect your clients’ information can lead to lawsuits, fines or other consequences from regulatory bodies, and loss of client trust.
- The SEC and FINRA recommend following Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), which is a high-level road map to cybersecurity best practices.
- Advisor firms that don’t address the guidelines in NIST’s Cybersecurity Framework could be fined.
- A good cybersecurity strategy should address the five core principles outlined in NIST’s Cybersecurity Framework: identify, protect, detect, respond, and recover.
- Three steps you can take to jump-start your cybersecurity strategy include the following: