By now, everyone in the financial industry should at least aware of the growing threat from hackers, but many are still in the dark about what their firms can actually do. Smaller firms can’t afford an entire IT team, and even a massive cybersecurity budget couldn’t protect J.P. Morgan Chase.
In a series of panel discussions at the FINRA/SIFMA Cybersecurity Conference in New York, leaders in the security space argued that its impossible to completely prevent an attack, but firms can mitigate the damage. Apart from joining FS-ISAC to share information about risks, attacks and breaches – one of the central themes of the entire conference – panelists said firms need to create a plan and get educated about cybersecurity.
Timothy Nagle, the chief privacy counsel at Prudential Financial, said all firms need to begin with an information security program and a privacy policy that describes how the firm uses personal information. There should also be a person designated to take the lead on security.
“If you don’t have something you can point to, then shame on you,” Nagle said. “There can be five people in your firm, but somebody has to be able to say, ‘yes we’ve got that.’”
Wells Fargo Senior Vice President of Enterprise Information Security Moriah Lazar Hara added that policies should be made with third party technology vendors, who will be working to contain an incident. Everyone needs to be on the same page, but firms must recognize that many attacks are created by uninformed users within the company.
“Create a custom, quarterly training for users that goes over thematic issues that they are responsible for,” Moriah said. “Tie it to how important it is to what they do for the enterprise.”
Even with a plan in place and a staff educated in Internet safety, how can small firms even detect an attack on their networks? There needs to be an infrastructure in place to detect a breach, but it’s expensive. The important thing is to identify the firm’s most critical data and start by protecting that.
Again, the panelists agreed that getting educated about security is probably the most important step, as many executives don’t recognize information from engineers as important enough to act on.
“Get smart and get literate. You don’t have to be a developer,” said Hardeep Walia, the CEO of Motif Investing.
Education is also important when recovering from a cybersecurity incident. Firms need to educate clients how to protect their own computers, and advisors need to keep detailed logs of every step taken during the incident. This will not only help guard against future attacks, but can help show regulators that the company did due diligence to protect investors.
Following a prepared plan is also crucial during the recovery phase, as the requirements to report a breach can vary from state to state. After the attack is contained, it’s important to evaluate how the plan worked and how it can be better in the future.
“I still fall back to having that plan at each level and being able to follow those steps,” said Lon Dolber, the CEO and CIO of American Portfolios Financial Services. “It has to be written down [and] has to be modified.”