By Scott R. Cosentine, CPA, CAMS, CGMA
Cyber-attacks have garnered headlines daily and tarnished the reputations of household brands who have cyber-security budgets larger than most RIA’s gross revenue. Regulators have made cyber-security a primary focus, current and prospective investors are inquiring about information security controls, and BOD members are reporting that cyber-security is what keeps them up at night. Cyber-threats are here to stay, but that is no reason to play afraid. Recent events have proven that there is no such thing as 100% security, so what is a small/medium-sized RIA to do 1st thing in 2015?
An important thing to remember is that this shouldn’t be a technology discussion, but rather a risk discussion. The reality of the matter is that, generally speaking, small/medium-sized RIAs are not the highest of targets. That being said, a single cyber-attack could be a death sentence and they could come from multiple sources and could target anything from sensitive employee or client data to strategy information, and are not immune to internal incidents.
Most firms have outsourced IT operations, and according to Mavis Kelly an Assist Director with the SEC’s OCIE division, a passive approach to this relationship by RIAs is her biggest concern. In 2015, if not done so already, every RIA needs to assess what data is important to that firm, and that needs to be the initial focus of attention from a security perspective. Regardless of the size and complexity of your firm, as a best practice and the foundation for an annual assessment, you should address the requests in the SEC’s April Risk Alert. The SEC doesn’t expect the CCO to be a technology expert, but expects them to understand it enough to be able to assess and mitigate any risks necessary.
Based on your risk profile, the next steps can vary widely; however, it is important to understand that every action you make from a cyber-security perspective (and most other compliance or control initiatives) should be directly correlated to your assessed risks or you could be wasting valuable time or money.
Over the coming months, please join Ashland Partners’ IT specialists and other industry IT experts as they provide a series of webinars to help small/medium-sized RIAs sort through the cyber-security maze and provide industry focused insight to assist you meeting your individual regulatory and operational needs.
Please join Bruce Nicholson of Ashland Partners and Alfonso Powers of Core Business Services on January 20, 2015 at 11:00 AM PST for a non-technical presentation of the SEC’s Office of Compliance Inspections and Examinations (OCIE) Cyber-security Initiative. This session is tailored for executives and Chief Compliance Officers to better understand what cyber-security controls the SEC expects you to have in place and what additional controls your firm should develop for the future.