On January 7, 2021, the North American Securities Administrators Association (NASAA) reminded state-registered investment advisers to report to their primary securities regulator any known issues or concerns related to a recent RIA cybersecurity incident.
In December 2020, SolarWinds was the victim of a breach that caused SolarWinds Orion Network Management Products to transmit malware to many of its clients. The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency has issued an alert that describes the threat and provides guidance on how to address it. The alert is available here.
NASAA has been working with federal agencies to provide updated information to state and provincial securities regulators about this recent RIA cybersecurity incident. NASAA issued this reminder to raise awareness among state registrants and to provide information and resources to help those affected to recover quickly and protect their clients and colleagues. Any firm with known malicious versions of the SolarWinds Orion software should contact its primary regulator. If your investment adviser firm was a victim of the SolarWinds cybersecurity incident contact information for all state and provincial securities regulators can be found on the NASAA website, here.
NASAA’s recently issued release serves as a reminder of the importance of maintaining an up-to-date cybersecurity policy. A cybersecurity policy should include an ongoing review of third party vendors. To the extent a vendor has access to or maintains confidential client information, a best practice is for an investment adviser firm to review (if possible) such vendor’s cybersecurity incident response plan and practices as part of its due diligence processes and require the vendor to promptly notify the investment adviser firm of each cybersecurity incident related to the investment adviser firm’s clients and provide regular and detailed updates regarding the vendor’s investigation, notifications and mitigation/resolution of the cybersecurity incident. For additional cybersecurity best practices related to your investment adviser’s due diligence of third-party vendors, please check out Cybersecurity – Conducting Due Diligence of Cloud Computing Service Providers and Cybersecurity – Best Practices Checklist.
Although RIA Compliance Consultants is not a cybersecurity expert, we are available to assist your investment adviser firm (in conjunction with your information technology staff or consultant) with developing and maintaining policies and procedures to address cybersecurity issues as it relates to your investment adviser firm. To learn more about our services, please call us at 877-345-4034.