L A W
Cybersecurity: What’s an Advisor to do? Cybersecurity is much like the rest of the retirement world — all about process. BY DAVID N. LEVINE
E
very week brings a new story of cyber breaches in the retirement industry. Many of these stories focus on service providers such as recordkeepers. Others focus on data and payroll security at plan sponsors. However, not to be forgotten are cybersecurity challenges for advisors. The Office of Compliance Inspections and Examinations at the Securities and Exchange Commission specifically noted in its 2019 examination priorities that it will continue to focus on cybersecurity practices at investment advisers, with a focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Furthermore, now that almost every state has a data breach notification law and with federal legislation at “top of mind” for many members of Congress, the potential responsibilities on advisors continue to mount.
58
N A P A
NNTM_SPG19_58_InsideLaw.indd 58
N E T
T H E
However, recognizing that some advisors are in smaller organizations with limited information technology resources and that cybersecurity is a big step away from the traditional world of retirement advice, what’s a plan advisor to do? As someone who was a geeky programmer as a kid and has always kept one foot in that world, I have three words of advice that may sound familiar: process, process, process. Fiduciary prudence requires process. SEC compliance is a process. And so is cybersecurity. There are many frameworks for addressing and managing cybersecurity risk and many steps I go through when working with a client – whether an adviser, plan sponsor or other service provider – but it can be distilled to some basic steps. Most importantly, it is important to start with a basic assumption: Bad actors are trying to breach your organization’s cybersecurity all the time.
As events affecting even the largest companies have shown, no one is immune to breaches. With that in mind, here are five basic questions to consider as a framework for evaluating your approach to cybersecurity: 1. What data do you have? A key starting point is understanding what data you have – both your own and your clients’ – and analyzing what you need and where it is kept (and possibly doing a “data cleanse”). 2. What controls do you have on your own data and your clients’ data? These controls can be technological limitations, access control, contractual limits on your vendors, and encryption levels, to name a few. 3. What steps have you taken to monitor access to – and attempts to break into – the data you have? These steps can be software driven. They include monitoring controls, agreements with vendors that require data reporting/security flaw reporting, intrusion monitoring and evaluation, and even basic network security processes such as system upgrade standards and testing the ability for others to break into your network (which is referred to as “penetration testing”). 4. What duties and obligations do you have to disclose data breaches? Your obligations to disclose breaches can come from many sources, from regulatory and legal requirements to contractual commitments. 5. How do you remedy cybersecurity breaches affecting your business and/or clients? Advisory contracts may provide for liability, and laws and regulations may impose liability for a cybersecurity breach. Cybersecurity insurance can assist with and provide coverage for a breach. Cybersecurity is an evolving landscape – even for those of us who touch it every day. In the end, however, cybersecurity remains much like the rest of the retirement world – all about process. And as advisors know, an ounce of proactive process truly can be worth well more than a pound of cure. N » David N. Levine is a principal with Groom Law Group, Chartered, in Washington, DC.
/ SHUTTERSTOCK.COM
T H E
SERGEY NIVENS
I N S I D E
M A G A Z I N E
3/4/19 9:27 AM