Dear Reader,
I’m always delighted when I see adviser organizations take proactive steps to focus on future challenges. In the United States, we are typically a reactive culture. We don’t address problems until they are sitting in our laps. We don’t focus on economic policy to prevent crisis until the crisis has occurred. We don’t reform until we find ourselves flat on our back and the tire tracks cover us.
But I’m very pleased to see the proactivity of the Financial Planning Association. Recognizing that financial services industries are 300 times more likely to face cybersecurity challenges than other sectors, the association has moved to create a new certification program to comply with federal standards.
Its new Cybersecurity for Financial Planners: An FPA Certificate Program, aims to help advisers protect client data and comply with recent SEC and FINRA cybersecurity standards.
Six Areas of Focus
The new program will have six focus areas and help advisers establish a custom, long-term cybersecurity program. The goal is to protect client data and create a record of company practices should it face an audit by regulatory bodies. Let’s take a look at the six sections:
- Part 1: Introduction to Cybersecurity — This section offers a historical perspective of cybersecurity with a focus on major events and regulatory changes since 2014. This section amplifies the importance of New York Department of Financial Services (NYDFS) requirements, and how they are central to the creation of a cybersecurity program.
- Part 2: What is a Cybersecurity Program? — This section outlines the critical importance of a cybersecurity program and outlines. It provides an understanding of the standards tied to controls, sections, and policies.
- Part 3: Program Controls — This section explores various policies under Program Controls. It covers what type of personal information is classified under Non-Public Information (NPI). It also provides a deeper understanding risk management and risk assessment. Finally, it outlines the key roles a financial firm’s Security Team and other relevant participants.
- Part 4: Process Controls — This section explores an adviser’s continuity plan and the relevance of a Security Incident Response Plan (SIRP). Participants also explore how to assess cybersecurity risks of third-party vendors.
- Part 5: Data Controls — This section explores the management of infrastructure and endpoints in a cybersecurity process. It will also explore the critical role of management and password management software.
- Part 6: Technical and Physical Controls — Finally, this section explores endpoint security. The section outlines different security measures workstations, mobile device and networks. It also covers physical security and the need for robust incident Response Plans
Reinforcing the Narrative
The FPA definitely echoed the importance of a strong cybersecurity program in today’s world. But I wanted to also highlight a few comments from the Schwab IMPACT 2020 Conference in October. Cybersecurity expert John Sileo, who lost his fortune to cybercrime, outlined the threats that cybercriminals pose to financial advisers.
“The newest wave of cybercriminals, like stealthy ninjas, use your technology against you to remain undetected,” Sileo told the audience. “They commandeer your threat detection software to keep them safe.” He explained that cybercriminals typically spend around 200 days in your system before they are noticed.
Be sure to check out the recap from the Schwab IMPACT 2020 Conference.
Tiffany Garcia, national cybersecurity practice leader for CBIZ, speaks to the importance of education in this space for advisers.
And Nick Harness, CIO at Kestra Financial, talks about additional training required, particularly on the client side.
I’ll be back next week to discuss cybersecurity challenges with a friend in the industry.
Talk then,
Garrett
