Cyber security, cyber security, cyber security. 10 years ago, it wasn’t even a thing. Now, it is one of the hottest topics in the financial services industry.
Unfortunately, these days individuals trying to run a small one or two-person investment adviser have found themselves spending more time dealing with compliance than managing money. Doesn’t sound right, but it is a sad truth of the business.
If it wasn’t difficult enough keeping up with the books and records maintenance, conflicts of interest disclosures, annual and other than annual filings, etc., etc., now there is cyber security to deal with. And it is not as simple and straight forward of a compliance issue to deal with like keeping up with required books and records maintenance. Small firms (in regard to staffing and not assets under management) with minimal systems are still at the mercy of dealing with cyber security.
Cyber security does not just relate to the encryption and protection of your own systems. Many do not realize that they are also responsible for ensuring that their third-party service providers have appropriate cyber security policies in place. If an adviser has strong cyber security policies in place, but no due diligence of third party service provider’s cyber security policies, there is a chance that the adviser’s systems could be compromised via one of their vendors. If this happens, expect to receive a visit from the regulators. With that being said, due diligence of third party service providers is an important part of any cyber-security procedures.
Cyber security has become a priority issue for may regulators. In fact, the SEC has made it one of their focuses in protecting retail investors. For more information, please refer to this article regarding the SEC’s Enforcement Division’s focus on cyber security issues.