The first article of our “Cybersecurity for financial advisors” series explained why having a solid cybersecurity strategy is crucial for today’s financial advisor and introduced the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), the guidelines to cybersecurity best practices recommended by the SEC and FINRA. It concluded by introducing three steps you can take to jump-start your cybersecurity strategy.
In this article, we’ll explore the first step: creating a cybersecurity policy.
What is a cybersecurity policy?
A cybersecurity policy is a document that states what steps your firm is taking to protect itself from cyberattacks and what steps it will take in the event of an attack. This document should be updated regularly.
Who creates the policy?
You will need to designate a cybersecurity manager (CSM) or cybersecurity officer (CSO) for your firm. This person will work with stakeholders to pull together the content of the cybersecurity policy, get it approved, and keep it up to date as you learn over time.
Your cybersecurity person will keep a journal of everything that you have done or plan to do. If necessary, you will be able to refer to that journal to answer questions from a regulator. While some may feel keeping a journal makes them vulnerable to litigation, a plan that shows progress and rational decision-making may go a long way during an audit.
What should the policy include?
Your cybersecurity policy should be a high-level document. Each section should address one item in general terms. Phrases such as “risk will be assessed on an ongoing basis” and “employees will receive annual training on cybersecurity” work well and put less pressure on your business. Be realistic in your policy, and you will have a better chance of adhering to it.
What should the policy cover? Unfortunately, there is no prescribed format. Because the policy is tailored to the business, details can and should vary. One approach that may be useful for an SEC-regulated firm is to align its cybersecurity policy with the SEC’s audit framework. The SEC cybersecurity exam sweeps have focused on the following areas (presumably) distilled from NIST’s Cybersecurity Framework:
- Identification of risks
- Cybersecurity governance
- Access rights and controls
- Prevention of data loss
- Vendor management
- Incident response
Let’s discuss each of these areas in more detail.
Identification of risks
One section of your cybersecurity policy should address the identification of risks. This involves outlining how you will determine what threats exist to your valuables (e.g., client data) and what your cybersecurity vulnerabilities are.
Examples of steps your firm could take to identify risks include the following:
- Produce and regularly maintain a written inventory of data, technology, services, and third parties critical to your business. This feeds into the following activities.
- Conduct (or hire someone to conduct) periodic risk assessments to identify threats, vulnerabilities, and consequences.
- Conduct (or hire someone to conduct) periodic vulnerability scans and penetration tests of your systems.
Another area you should address in your cybersecurity policy is cybersecurity governance, or how your firm will control or direct cybersecurity activities. Typically, these tasks are handled by the previously mentioned CSM or CSO.
Access rights and controls
Access rights and controls is another area you should address in your cybersecurity policy. This section establishes who gets access to the items in your inventory and why. This section should also include guidelines on how to track, monitor, and manage changes to this list.
Prevention of data loss
The next section you may want to add to your policy is a plan for data loss prevention (DLP). This section should provide details about your data: where it is, who owns it, how you classify it (from most important to least important), and, importantly, what technology you use to prevent it from leaving your advisory business. DLP plans are highly individualized but may include a range of technologies from USB write blockers to add-ons to your antimalware software.
This section could be incredibly important in case of an attack where client data is lost. It can provide legal proof that you had a plan to prevent and mitigate data loss during an attack.
A section that is often overlooked in cybersecurity policies (and probably should be featured in yours) is how to manage vendors. H How does this apply to cybersecurity? Well, a good vendor-management policy includes the process for selecting vendors and conducting due diligence to ensure they are trustworthy and addressing cybersecurity. It also outlines how a firm assesses the risk represented by vendors.
Another topic your cybersecurity policy may want to address is how your firm trains employees on cybersecurity risks. This section could include cybersecurity classes, seminars, or formal training your employees are required to take and how often. You will need to document when and how this training happens.
The final core section you may want to include in your policy is how your firm plans to respond to a cybersecurity incident. This section may also include how you will test your plan to see if it needs improvement. It will also show how you and your employees will report incidents and to whom.
Miscellaneous sections and approvals
Your policy may also include a summary, objectives, glossary of terms, and appendixes, as needed.
Once the policy is drafted, your CSM or CSO should make sure it is reviewed and approved by your firm’s major stakeholders (e.g., owner, compliance team).
Now that your cybersecurity policy is in place, the next step in building a solid cybersecurity strategy is to develop and deploy a process for managing and protecting your important inventory (e.g., computers, services, data). We’ll dive into how to get started in the next post in our “Cybersecurity for financial advisors” series.