Did you know that the FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists? Cyber threats are serious and growing, and intrusions are becoming more commonplace, more dangerous, and more sophisticated.

In fact, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently alerted investment professionals about many of the common lapses it observed when conducting thousands of cyber security exams¹. The report warned that hackers are in fact becoming more aggressive and sophisticated — and in some cases backed by substantial resources and nation state actors.

Based on recent feedback from Mutual Fund Board Trustees and Directors, many in the industry are taking notice of the warnings and stepping up to make sure that their affiliated service providers, fund administrators, distributors, and other business partners are doing all they can to protect shareholders from cyber harm.

To help educate independent advisers, asset managers, investment firms, boards, and prospects about the importance of protecting confidential client data, Shawn Waldman, Chief Executive Officer of Secure Cyber Defense, recently outlined a cyber security checklist of the top five things professionals in the financial industry should consider when setting priorities and budgeting for 2020.

Note: The list below is intended as a general outline to help prepare for the unexpected. It is not a complete list of all cyber security measures available or what might be recommended after consultation with cyber security experts or on-staff IT professionals with experience in the financial services industry.

1. Proactive Risk Assessment – a plan/procedure that helps identify assets that could be impacted by a cyber security attack, and the risk that could affect those assets. According to Waldman, most companies fall into two categories – those who have been attacked and those who will be attacked. So, having a response plan in place is critical.

2. Email Phishing – 90% of cyber attacks occur via email. Phishing emails account for 9 out of 10 cyber security breaches. Although most people (78%) know better than to click on suspicious emails, at least 4% will click on a malicious campaign. For example, if 25 advisers work for an investment firm, at least one will open the e-door to a cyber hacker. Larger investment firms with 200 employees or more means at least 8 will take the bait. And for those independent advisers working from home, clicking on a phishing link may cause a breach of confidential client data, loss of business, SEC and FINRA fines, and a ruined reputation.

3. Software Patches – advisers may not regularly patch their systems for various reasons, but it’s a critical process. It’s not uncommon for malicious actors to exploit system vulnerabilities after public disclosure of software updates and before new patches are applied. Spending a few hours to install patches may save you hundreds of thousands of dollars in damage, and hundreds of hours in recovery caused by a vulnerability or software failure.

4. Firewall/Antivirus/Anti-Malware – firewalls work like a filter between a computer/network and the Internet. Advisers can program what they want to get out and get in. Everything else is blocked. When considering which antivirus program to get, real-time protection is the key feature. It means advisers and asset managers are protected whenever the computer is on, continually scanning incoming URLs and files for threats. It’s like having a security guard at your front door, checking the credentials of everyone who wants in.

5. End-Point Protection/Security – security solutions that address endpoint security issues, securing and protecting endpoints like workstations, laptops, tablet PCs, smartphones and servers against zero-day exploits, attacks, and inadvertent data leaks resulting from human error. By creating and enforcing rules for endpoints, protection solutions identify sensitive data and encrypt it, or block the copying or transfer of certain files or sensitive data based on classification.

One more item not on the list. Be sure to have a good backup strategy. If a cyber hacker gets access to client data, be sure you have an offline backup in paper form or in the cloud. But test those backups often to be sure they are working. For example, a hacked investment firm tries to restore data via their backup system, but it doesn’t work. That’s bad news for anyone who didn’t test the strategy before a cyber breach.

If you think more cyber security procedures are needed to protect your systems, contact Shawn Waldman at Secure Cyber Defense via info@secdef.com, talk to your IT specialist, or reach out to someone you trust in the industry to make a recommendation.