BEST PRACTICES
The term “cybersecurity” may be more of a buzzword in investment management than performance, fiduciary or robo-adviser.
Identify Location of Confidential Information
Conduct an internal assessment of the location of confidential information and who might have access.
Restrict Access
Passwords should be specific to each employee and should require updating on a periodic basis. Also, make sure to shut down access for exiting employees.
Monitor for Intrusions
The IT function should add intrusion monitoring as part of the virus and security protocols. Also, IT should report multiple log-in failures.
Prohibit Removable Storage Media
Also, create a hardware environment that makes it difficult to use such media.
Limit Devices
Only firm-approved and encrypted devices should have access to the network/system.
Test Vulnerability
Hire an IT firm to perform a vulnerability assessment and conduct penetration testing.
Evaluate Vendors
Ensure vendor selection includes cybersecurity due diligence. Create an ongoing monitoring and reporting system.
Report to Management
Add cybersecurity as an agenda item to every management and compliance meeting and include reports from IT and Compliance.
Appoint Somebody Accountable
One person should own cybersecurity compliance across the organization, whether that person resides in IT, Compliance, or Operations.
Create Response Plan
The response plan should include required notices to clients and regulators and how to patch vulnerabilities.
Consider Cybersecurity Insurance
Determine if a cybersecurity insurance policy will protect the firm against a catastrophic event.
Implement Policies and Procedures
Develop policies and procedures governing all of the above and annually test whether they are being followed. Also, ensure ongoing employee training.