15 Best Cyber Security Best Practices for RIAs

Cyber attacks pose a significant risk to financial businesses, costing companies millions and damaging reputations. The tactics used by hackers are always evolving, so it’s important to keep up with the currently recommended best practices.

However, many firms fall behind — and that’s where a problem can occur. Most attacks result from a business being unprepared or underprepared for a particular threat. But by implementing the right cyber security best practices, you can minimize your risk of a hack.

Here are 15 tips to get your protection up to speed.

1. Develop Cyber Policy Documentation

Create a written cyber policy that is tailored to the needs of your business. Make sure your policy addresses the particular cyber risks facing your company. Document the steps for your personnel to take for cyber attack prevention, ongoing threat monitoring and cyber incident response.

2. Educate Employees on Cyber Safety

Make education on cyber safety a core part of your employee training. Go beyond inserting a few bullet points into an employee handbook handed out to new hires. Instead, train employees regularly on cyber and data security issues. If available, consider enlisting the help of third-party best practices experts.

3. Institute a Funds Transfer Policy

Take extra precaution with your firm’s financial transactions. Have a specific policy for wiring funds or sending money. Institute a policy of verifying instructions via a phone call with the number on file for any transaction over a designated amount (such as $25,000). Instruct clients to call and verify any changes in payment or wire instructions sent or received through email. Institute a policy requiring funds deposited into a trust account to be fully cleared by the bank before initiating any request to wire them out.

4. Have a Suspicious Links Procedure

Have a specific policy warning against opening links from unknown sources. Train employees never to click on a link in an email from a third-party source without first verifying the email is legitimate. Instruct employees to never provide any credentials such as a username or password if prompted to do so by such email links.

5. Consider a Personal Internet Use Policy

Consider creating and enforcing an employee policy on personal internet usage. Realize that, besides being a drain on productivity, employee internet surfing may increase the risk of cyber attacks. Consider prohibiting internet use beyond what is necessary to complete work tasks. Alternatively, you could provide dedicated computers for employees to use on breaks that are not on the company system.

6. Establish a Personal Device Policy

Establish a policy for employees regarding the use of their personal devices for work purposes. Understand that there is a risk involved in allowing employees to perform work functions on cell phones and personal computers that haven’t been vetted and approved. Think through how your company will successfully manage the risk of a personal device being stolen that contains confidential client information or communications.

7. Protect Portable Company Devices

Establish a protocol for protecting company-owned laptops, cell phones and other portable devices issued to employees on the go. Make sure the firm knows who has each device and ensure that each system has been properly set up to provide only the access required for their role. Set up devices to require strong password protection with multi-factor authentication and install current software and antivirus protection.

8. Require Robust Password Security

Have a policy requiring employees to set and maintain robust passwords for all their work devices and applications. Require employees to immediately change any dummy passwords given at the start of employment (such as “1234”), keep their passwords confidential by never leaving notebooks or sticky notes lying around that could reveal their passwords, and enforce frequent password changes, making sure employees choose strong passwords that meet policy requirements.

9. Turn on MFA for Remote Access

Make sure to enable multi-factor authentication (MFA) for remote access to your network and the use of remote devices. Use this added layer of protection whenever employees will work from home, use company portable devices or use their own personal devices for work purposes under a “bring your own device” (BYOD) policy. Remember that the risk of hacker intrusions through remote access portals is high, so any employee working in a system remotely should be required to go through an MFA verification process to confirm their credentials.

10. Ensure Software Is Up to Date

Make sure all software is up to date to prevent a hack. Check that all software protecting your systems and devices against viruses, malware and ransomware is up to date. Make sure operating systems and business software solutions are also kept up to date on all devices. Consider turning on automatic updates for security fixes and software patches that protect against new vulnerabilities. Realize that an investment in software on the front end to prevent an attack is often well worth it.

11. Enact Firewall and Data Encryption Protection

Enact a combination of firewall and data encryption protection across all your systems. Realize that, in many cases, a cyber incident stems from an avoidable failure to encrypt sensitive data and protect privileged communications. Make sure you understand what your in-house or third-party IT and data host provider is doing to protect your data and network.

12. Review IT Backup Procedures

Review your firm’s backup procedures with your IT team to ensure everyone is on the same page. Understand that, all too often, a business learns that its data has not been properly backed up or that the backup is so closely tied to the server that it too is lost or corrupted in a cyber theft and ransomware attack. Put your IT team to the test before an event to make life much easier if and when an event occurs.

13. Know Third-Party Firm Policies

Have a thorough understanding of the policies and procedures of any third-party companies with whom you share data. Realize that your cyber security protection is only as strong as your weakest link and that it does little good to have strict data and cyber policies if a third-party data host is not careful or shares sensitive information with unsafe recipients.

14. Invest in Annual Penetration Testing

Consider allocating resources to conduct annual system penetration testing by a qualified third-party cyber security firm. Look into forensic IT companies who offer services where your company network and email systems can be tested to highlight vulnerabilities and recommend solutions to further improve your cyber safety.

15. Obtain Cyber Insurance Protection

Understand that there is still a risk a cyber attack may occur, even when you’ve taken all the right steps to protect your business. Make sure you obtain cyber insurance protection to ensure your business survives the hack and bounces back. Look for broad, comprehensive coverage, such as the robust Cyber Liability coverage offered by Lockton Affinity Advisor.

Lockton Affinity Advisor offers broad coverage that’s tailored to the unique needs of financial professionals. Our protection addresses many of the deficiencies in the current marketplace, where sparse coverage, hidden fees and no available coverage are common. Cyber Liability provides protection against mistakes, breaches, hacks and more, and is available as an add-on with your Lockton Affinity Advisor E&O policy.

Learn more about how our coverage meets ERISA standards, including services performed as an ERISA 3(21) and 3(38) advisor, at LocktonAffinityAdvisor.com.