The exponential growth of cybersecurity risks makes it imperative for you to have a cybersecurity plan — to prevent the breach of sensitive client information and to avoid business disruption.

Cybersecurity risks have increased as more information becomes digitized and the use of third-party software and systems has increased.

The Canadian Securities Administrators has noted that financial advisors have an obligation to implement measures to deal with cybersecurity risks. "Registrants and regulated entities should be aware of the challenges of cybercrime and should take the appropriate protective and security hygiene measures necessary to safeguard themselves and their clients," it stated in a release from 2013.

These measures include:

  • educating staff on the importance of ensuring the security of their client information and their computers;
  • following guidance and best practices from industry associations and recognized information-security organizations;
  • conducting regular third-party vulnerability and security tests and assessments;
  • reviewing your cybersecurity risk control measures on a regular basis.
     

Below are some of the key considerations your cybersecurity plan should incorporate.

> List your users and suppliers
Compile an inventory of all users of authorized devices and software, suggests Walid Abdelaty, senior analyst and web developer with Techlicity Ventures Inc. in Toronto. Discourage the use of unauthorized devices and software, and ensure that all devices have secure configurations.

Also, take an inventory of all third-party providers of services you use such, as hosting, email, client-relationship and portfolio-management systems and cloud-based and physical servers.

> Assess administrative privileges
Evaluate internal and external privileges and ensure appropriate controls exists for all points of access to your systems, Abdelaty advises. These include internal administrative privileges for staff as well as external software and technology used in areas such as creating firewalls, encrypting data, segregating your network and storing your data.

"When an external provider is used," Abdelaty says, "make sure that its procedures are adequate to prevent unauthorized access to your systems."

To prevent breaches, ensure the use of strong passwords, which should be changed regularly. And enforce pre-approval requirements for the release of sensitive information to external parties.

> Conduct vulnerability assessments
Abdelaty suggests that you conduct regular vulnerability assessments to determine how you would respond to a data breach.

"Identify a set of possible cyber events and assess the potential impact of each event," he says. Document procedures you should take to limit a potential breach and how you would respond to it. "Vulnerability assessments should be automated," Abdelaty says.

> Mitigate risks
The primary objective of your cybersecurity plan is to mitigate the risk of a cyber attack, Abdelaty says. He cautions that not all attacks can be prevented, as cyber criminals are becoming increasingly sophisticated.

"The key," he says, "is to invest in the most up-to-date technology to reduce the chances of a cyber attack."

It may be necessary to secure the assistance of an external provider, especially for smaller practices, he says. Incorporate regular audits of your cyber controls to ensure that they are up-to-date. 

Photo copyright: leowolfert/123RF