Creating a Cybersecurity Plan for Your Financial Planning Firm

It is clearly a challenge in the modern era of business to make serious technology decisions. We now see a pace of change that disrupts technology planning on nearly a quarterly basis, less accommodating than the year over year hardware and software updates and releases we have grown accustomed to.

Paired with this breakneck speed of technology is the comprehensive move to the use of Internet-connected applications -- both in the web browser and on smartphones and tablets.

This shift to the web began over a decade ago. And since the emergence of the iPhone in 2007 and iPad in 2010, the acceleration of our business tools becoming a part of the “Internet of Things” has been stunning.

This combination creates complexity for financial planning firm owners and puts pressure on all advisors tasked with protecting data and information for an RIA to make smart technology decisions. You must balance efficiency, risk and profitability.

But cybersecurity is not a new topic. In fact, it has been a part of our conversation on risk since the first systems connected to the Internet. It is just exacerbated now in our digital, always-connected way of doing business.

What to Consider in Your Approach to Cybersecurity

Data security is as much about behavior as it is software and hardware. Train your team in good security practices.

Talk through how you each work, both in office and when mobile. Think through these scenarios when you develop your security practices and policies for employees to read and affirm.

Staying Safe When Connected to the Internet

It is quite rare when anyone works offline. Be certain that all laptops are using personal VPNs for using WiFi on public networks, password managers to ensure strong passwords and reinforcing the need to always be protective of handling and protecting customer information and other vital data. Two-factor (multi-factor) authentication should be used on all accounts where it is available.

All computers, and especially laptops, should be disk encrypted. This is now available at no additional cost on Mac OS X and Windows computers (you can use File Vault and Bit Locker, respectively). In addition, setting a timeout on those computers to re-encrypt when they go into sleep mode (best practice is 1 minute of inactivity).

For manual locking, remind users to lock their computers when walking away from them in any setting (especially in public places – it can be done with a keyboard stroke on both Macs and PCs).

Ensure that antivirus software is set to update and run automatically. Always set computers to auto-update for operating system patches.

Provide firewall security for all Internet connections. These are best used both at the connection level (a router bringing the Internet into your office) and also the individual firewall software included on computers. This includes home and other remote offices.

Your policies should require these to be confirmed and tested at least quarterly.

Dealing with Mobile Security Concerns

Have a strategy and plan for managing mobile devices. Confidential data can leak onto smartphones and tablets. They should be protected with a password or pin to unlock, and set to erase automatically if an incorrect password or pin is entered more than 5 times.

Additionally, a security app should be on each device that protects against malware and viruses. Personal VPNs should be used on these devices as well to secure all WiFi connections. The password managers selected for your computer browser(s) will also extend to your smartphones and tablets.

Finally, where possible, the backup and/or sync process for backing up these devices should be password protected and/or encrypted.

Backups Are an Essential Part of Sound Cybersecurity

Backing up business data is essential. We subscribe to the 3-2-1 backup approach. This means always having three copies of your critical business data, from email to working documents and other data from systems and applications.

Restoring from backup should be tested at a minimum annually. Ideally, you can use this approach:

• The original copy of data are your working files, actively on your computer and/or mobile devices.
• The second copy is your daily backup, which can be local or cloud-based. If local, the data storage should be rotated to be stored in fire and water proof storage.
• The third copy is what we call the disaster recovery backup. It should be backed up on a completely different system and stored in a geographically disparate area. In essence, one should be able to acquire all new equipment and devices and restore all business operations from this third backup regardless of location.

Insurance Doesn’t Solve the Whole Problem -- But Does Matter

You will need to maintain insurance to address cyber security incidents and/or network and data breaches are becoming more commonplace as a foundation to any security strategy. Explore the capabilities for carrying insurance that can assist with notifications, litigation and credit insurance from your existing general and professional liability carrier(s).

This insurance goes along with the steps we have outlined, not as an alternative or replacement.

Today’s technology grows and changes at exponential rates. As you incorporate more technology into the running of your firm, it’s important that you stay educated on best practices for cybersecurity. Keep asking questions, doing your research, and maintaining your awareness of the importance of protecting your -- and your clients’

About the Author

Recognized as an industry leader in financial services marketing, compliance and technology, Blane Warrene has worked in progressive roles for broker dealers, investment advisors and asset managers. He co-founded Arkovi Social Media Archiving in 2009 with Carl Cline and TysonLowery, and sold it to RegEd in October 2012 RegEd. He also co-founded QuonWarrene with Neal Quon, where he serves as a board member today.

Blane additionally serves on the board of the Dennison Railroad Depot Museum, a national historic landmark in Ohio. You can connect with him on LinkedIn, or on Twitter.