1 Comment

5 Tips to Prepare for Cyber Threats in the New Year

Today’s cyber environment has cultivated a perfect storm for financial planners. The timing and velocity of cyberattacks combined with an increase in regulation requires more than just a defensive posture. To be successful in 2019, financial planners need to be proactive, not reactive by default. It all starts by implementing basic cybersecurity tools and protocol, then architecting a modern cybersecurity framework around it—one that satisfies current laws and provides clear, documented evidence of enforcement.

At the time we began managing cybersecurity in 1995, cyber incidents looked a lot different. Today cyber threats come from all areas of the globe and a host of bad actors. One cyber incident can bring down an enterprise. The reputational risk alone creates a negative multiplier effect of losing clients, licenses and the cooperation from regulators when a firm is ill-prepared.

The good news is playing the cyber offensive is relatively easy with these five tips for success:

1.) Use multi-factor authentication (MFA)

Financial services firms that adopt MFA require a user to provide more than just a password to access a network. An example of MFA is logging into a website that sends a numeric code to your phone, which then grants access to your account. The technology is simple and does not require one to be a computer genius to use.

2.) Employ data loss prevention tools and settings

Data Loss Prevention (DLP) tools and settings are critical for regulatory compliance and safeguarding your client’s data. Firms should already be using antivirus protection, encryption and screen locks. Antivirus subscriptions protect multiple devices.

Furthermore, encryption and lock screens on a cell phone are simple to use, inexpensive and easy to enforce.

3.) Printed cybersecurity policy and practice drills.

Most firms have a cybersecurity policy, but only a small percentage print them and run cyber practice drills. A hard copy of the cybersecurity policy enables immediate access should a firm’s network become compromised or inaccessible. Running practice drills ensures everyone understands their role and responsibility for the firm’s cybersecurity policy.

4.) Build a cyber dream team.

On a previous FPA Coaches Corner webcast, we explained how to build a cyber dream team, roles and responsibilities. An ideal team, for example, is comprised of your firm’s chief information security officer (CISO) and a cyber expert. A cyber expert is formally trained in cybersecurity and incidence response planning and should have a deep understanding of the regulations.

5.) Documented cybersecurity evidence.

One of the most important functions is generating proof and evidence for the regulators, without it, no one (including the cyber insurance company) will believe a firm is in good order. Various cyber documents, such as a Written Information Security Policy (WISP) and Cyber Asset Audit Report, create the body of proof. These documents should also be printed in case the system is compromised.

Playing the cyber offensive will position advisers operating under a fiduciary standard for success, whereby acting in a client’s best interest forms the basis of the client relationship.

Editor’s note: This is an excerpt from the FPA Coaches Corner whitepaper titled “Make 2019 Your Year: Business and Career Tips to Get the Most Out of 2019.” Read the full whitepaper here.

Brian_Edelman-headshot

Brian Edelman, CEO of FCI, is a nationally recognized cybersecurity expert specialized in the financial services industry. He is the FPA Coaches Corner coach for cybersecurity.


1 Comment

5 Tips to Protect Your Practice from Cybersecurity Threats

Spring is finally here and this time of year always brings a renewed focus on getting healthy for summer beach vacations. But now that a fresh season is among us, it’s time for us to also focus on the cyber health of our practices.

According to Security Magazine, there is a hack attack every 39 seconds on average. As a firm, we at Kestra Financial are always doing whatever we can within our internal systems to protect the privacy of our partner firms and their clients.

However, there are a few things you as an adviser can do proactively for added protection.

Train your staff to be vigilant. Businesses often don’t realize the biggest threat to their cybersecurity health is, unintentionally, their employees. To help mitigate this threat, train your staff to be weary of emails that claim to be from trusted partners but don’t appear to make sense (these are likely phishing attacks). Also, warn your staff to not type username and password information into a website simply because it asks for it. This is the most common way our advisers get breached. Odds are, if something doesn’t feel right, it probably isn’t. When in doubt, proceed with caution.

Practice safe web behavior. Do not type sensitive information into websites without an “https” prefix included as part of the URL. Always use strong passwords that are at least eight characters or longer and include a mixture of symbols, letters and numbers. As a rule of thumb, if your password is in the dictionary, it is likely not strong enough. Also, be sure to never use the same password across multiple websites.

Beware of ransomware. When it comes to cybersecurity, it’s not just about privacy, but also access. Sometimes, instead of stealing your data, hackers will encrypt your computer and hold it for ransom until they are paid. Nowadays, it is fairly simple for hackers to conduct clandestine, international transactions, especially with anonymous digital currencies such as bitcoin. With this in mind, your backup strategy is almost just as important as your cybersecurity strategy. On a recurring basis, practice backing up your data and then re-uploading it back into your system. If you have a strong backup strategy, you can make yourself immune to ransomware attacks.

Avoid using obscure, free software downloads and file-sharing utilities. This is frequently how hacking activities start and spread. Free video conversion utilities are especially common and should not be downloaded unless they have been purchased from a trustworthy source. Even if only one employee downloads a virus, it could spread across the firm.

Heed warnings. If you are using a browser and get an error message noting an invalid web certificate, you should never continue. Websites oftentimes get hijacked, and the only way to know if your website is actually the one you were looking for is if there is a valid certificate. For example, hackers can screenshot what the Gmail login page looks like and fool you into thinking you’ve landed on that page, even though they’ve redirected you to their site. When a website masquerades as another website, it is called the “Man-in-the-middle attack,” and it should be avoided at all costs.

In conclusion, if you suspect that you’ve been hacked or your data has been stolen, act quickly. At Kestra Financial, we encourage our advisers to contact us for assistance whenever they suspect they may have fallen victim to cyberattack.

Kevin Witt

Kevin Witt is the chief technology officer for Kestra Financial, where he leads the company’s drive to provides its advisers with innovative tools and technology that will empower their success. Kevin’s team is responsible for the design, development and implementation of a wide portfolio of applications used by employees at the Kestra Financial home office and advisers in the field.

Editor’s Note: A version of this post appeared on Kestra Financial’s blog and can be found here

 


Leave a comment

New York Planners: Time Is Running Out for Your Firm to Qualify for The NYDFS Cybersecurity Regulation Limited Exemption

Under the new NYDFS cybersecurity regulation (23 NYCRR Part 500), any individual operating with a license, registration, or similar authorization under New York banking, insurance or financial services is required to assess their security risk profile, design a cyber program that addresses their risks and file an annual certification that confirms they are in compliance with regulations.

September 27, 2017 is the deadline for filing your Notices of Exemption and failure to do so on time will cost your firm thousands if it would have qualified for the Limited Exemption.

You may qualify for a limited exemption if you meet any one of the following (the following information is from the New York Department of Financial services and is available here):

Section 500.19 (a)(1): Have fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity

Section 500.19 (a)(2): Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates

Section 500.19 (a)(3): Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted principles, including assets of all Affiliates

Section 500.19 (b): An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need to develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity

Section 500.19 (c): A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this Part

Section 500.19 (d): A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part

To file for an exemption: log into the NYDFS Portal and file. Save the email you receive after filing for evidence.

Key Dates Under New York’s Cybersecurity Regulation (23 NYCRR Part 500)

 Here are other important dates to know when it comes to the new regulation (the following information is from the New York Department of Financial services and is available here):

  • March 1, 2017: 23 NYCRR Part 500 becomes effective.
  • August 28, 2017: 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • September 27, 2017: Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
  • February 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018: One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018: Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019: Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

If you need assistance filing for an exemption, Financial Computer is providing complimentary assistance for FPA members. Click here to schedule some time with one of our cybersecurity experts.

Brian E
Brian Edelman is a cybersecurity expert and the CEO of Financial Computer, Inc., a company that provides cybersecurity, integrations and IT support to the financial services community.