BEST PRACTICES

The term “cybersecurity” may be more of a buzzword in investment management than performance, fiduciary or robo-adviser.

1

Identify Location of Confidential Information

Conduct an internal assessment of the location of confidential information and who might have access.

2

Restrict Access

Passwords should be specific to each employee and should require updating on a periodic basis. Also, make sure to shut down access for exiting employees.

3

Monitor for Intrusions

The IT function should add intrusion monitoring as part of the virus and security protocols. Also, IT should report multiple log-in failures.

4

Prohibit Removable Storage Media

Also, create a hardware environment that makes it difficult to use such media.

5

Limit Devices

Only firm-approved and encrypted devices should have access to the network/system.

6

Test Vulnerability

Hire an IT firm to perform a vulnerability assessment and conduct penetration testing.

7

Evaluate Vendors

Ensure vendor selection includes cybersecurity due diligence. Create an ongoing monitoring and reporting system.

8

Report to Management

Add cybersecurity as an agenda item to every management and compliance meeting and include reports from IT and Compliance.

9

Appoint Somebody Accountable

One person should own cybersecurity compliance across the organization, whether that person resides in IT, Compliance, or Operations.

10

Create Response Plan

The response plan should include required notices to clients and regulators and how to patch vulnerabilities.

11

Consider Cybersecurity Insurance

Determine if a cybersecurity insurance policy will protect the firm against a catastrophic event.

12

Implement Policies and Procedures

Develop policies and procedures governing all of the above and annually test whether they are being followed. Also, ensure ongoing employee training.