A cybersecurity stack is a non-negotiable part of every compliant technology set-up, one that consists of all the tools meant to protect an investment advisory firm against data breaches and other security attacks online, and the active management required to oversee the tech. Firms of every size are on the hook for cybersecurity compliance and for keeping firm and client data secure.
Here's a look at what the stacks of RIAs of all sizes should include.
The essentials
While a firewall, antivirus software and back-up capabilities were once considered cutting-edge elements of a cyberstack, today they are the lowest common denominator of protection — and are not, in themselves, enough for firms of any size. Even small RIAs need a cybersecurity stack that has a business-class firewall for additional security, content filtering, spyware protection and intrusion protection.
A robust, proactive stack also has endpoint detection response, or EDR, software for additional monitoring and protection of a firm's devices. Unlike antivirus software, which is reactive and only flags known threats, EDR involves active monitoring. If ransomware is discovered on a networked computer, EDR capabilities allow that device to be shut down and rolled back to the point prior to the ransomware infection, restoring operations so the computer can be up and functioning again.
Ensuring that the advisor's core business activities — including cloud-based applications — are backed up is crucial. It is wrong to assume that everything is securely updated in the cloud. Firms need to understand the backup policies and recovery plans of their cloud-based providers. The local IT vendor does not control the cloud-based provider's disaster recovery plan, something that many RIAs have discovered after a breach or other cybersecurity incident.
Another critical component of the stack is a security information and event management system. SIEMs collect data on what's happening, notifying the firm in real time of potential security threats and vulnerabilities before they disrupt operations. They are also essential for tracking and logging of security data for compliance and auditing.
Finally, RIAs tend to overlook the need for cybersecurity awareness training and testing. It is well documented that
The human element
Cybersecurity is vital, but who has time to manage all of this? Most RIAs are focused on managing client investments and data, with no extra bandwidth or personnel to keep active eyes on their cybersecurity stack. Unfortunately, throwing up one's hands in futility is not an option. And firms that invest in the tools but not the people to ensure everything works set themselves up for failure. If no one is watching, cybercriminals don't get caught — especially when you consider that hackers can lurk undetected for six or nine months or more if no one is paying attention.
Every RIA needs both human and AI-enabled eyes actively watching to ensure that its cybersecurity stack is thwarting unauthorized activity and that the technology is being used appropriately. Active management should include monitoring who is logging into the firm's computers, checking on the SIEM and the encryption software, looking at the firewall, addressing Office 365 issues and receiving alerts when anything unusual happens — i.e. the software stops working. Deploying patches to keep computers up to date is also critical in avoiding security events.
Managing the cost
Cybersecurity is not a hobby. Firms need active EDR, SIEMs and so much more than yesterday's reactive antivirus software, which is an insufficient defense in today's environment. More people work remotely in full-time or hybrid arrangements, which means zero-trust environments and VPNs are vital to keeping the firm's network secure. All of this requires expert oversight and management of the cybersecurity stack, which requires some investment.
It's our experience that RIAs spend about 1% of their gross revenues on technology, with roughly 10% of their technology budget allocated to cybersecurity. This budget doesn't afford most RIAs the ability to hire full-time, experienced IT directors and cybersecurity staff — in addition to third parties— to oversee the integrity of their technology.
One option is to engage a managed service to assist in handling security issues cost effectively. MSPs —like ours — offer a team of experts in addition to access to high-level, enterprise-grade solutions. They offer financial advisors the ability to tap into the needed expertise and technology for protection from increasingly sophisticated bad actors without the burden of additional overhead expenses, so they can focus on their core business — helping clients invest and plan for tomorrow.