On December 3, 2018 the Nebraska Department of Banking and Finance (NDBF) released their 2018 Cybersecurity Survey of Nebraska-Registered Investment Advisers. NDBF surveyed fifty-seven Nebraska registered investment advisers. The survey focused on devices used in advisory activities, Wi-Fi access points, passwords, encryption policies, and anti-virus/anti-malware services. The full report can be viewed here.
Cybersecurity attacks can happen at any size firm, with such attacks being denial of service attacks, malware, ransomware, phishing, and password attacks. Weak points can allow for a cybersecurity attack to allow unauthorized access to an investment advisor’s critical data. The NDBF suggests several best practices of utilizing VPNs, encryption, long unique passwords, and employee training. Along with proper policy creation, and review. “The biggest weakness to any firm’s cybersecurity plan are the people implementing that plan.” The following are some best practices recommended by the NDBF:
- Use devices with built-in security and encryption
- Keep operating systems up-to-date
- Allow remote “wiping” of the device if lost or stolen
- Use unique passwords on each device
- Only use secure internet connections or personal hotspots
- Use VPN connections
- Do not share files over unsecured networks and turn off file sharing
- Turn off Wi-Fi and Bluetooth connections when not in use
- Keep passwords private and do not share with anyone
- Use longer passwords or passphrases that are harder to crack
- Regularly change passwords
- Use unique passwords for each system
- Use multi-factor authentication to add an extra layer of protection
For a more thorough review of your cybersecurity measures, RIA Compliance Consultants, Inc. has cybersecurity sample forms available. In our Cybersecurity – Best Practices Checklist, we have compiled a list of best practices intended to help an investment adviser with protecting its information systems and confidential information of its clients. More information about this sample form can be found here. We also provide other cybersecurity related forms such as Conducting Due Diligence of Cloud Computing Service Providers which can be viewed here, Cleaning Company – Acknowledgement of Background Checks which can be viewed here, Letter Notifying Client of Phishing Email which can be viewed here, GDPR Best Practices for Website which can be viewed here, and Cybersecurity – Employee Acknowledgement which can be viewed here. We encourage you to speak with your consultant about your cybersecurity policies and procedures. If you are not a client or RCC, please click here to set up an introductory call.