Posts

Cybersecurity for RIAs

RIA Cybersecurity: Prepare for New SEC Cybersecurity Requirements (2023)

Last year the Securities and Exchange Commission (SEC) voted to implement new and amended SEC RIA requirements to the Advisers Act of 1940 for cybersecurity risk management for registered investment advisers (RIAs) and funds.

Is your firm ready?

[ez-toc]

sec ria cybersecurity requirements

The proposed SEC rule changes would oblige RIA firms to develop and implement written policies and procedures to reduce cybersecurity risks that could harm clients and fund investors. The proposed regulations would also force advisers to report cybersecurity incidents like data breaches involving client information to the SEC.

Additionally, the proposed changes call for publicly disclosing cybersecurity risks and significant incidents from the last two fiscal years in their marketing materials and registration statements.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.

While comments initially closed in April 2022, comments were reopened on March 15, 2023. Once comments are fully closed, the finalized rules will most likely become effective later in 2023. We will be providing future updates once the final regulations are published.

What do the New SEC RIA Cybersecurity Requirements Entail?

The four significant proposed changes include the following:

  1. The proposal consists of new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. In addition, the proposed cybersecurity risk management rules require public companies to adopt and implement policies and procedures for identifying, assessing, and mitigating cyber risks.
  2. The proposal also includes a reporting requirement under new rule 204-6 mandating companies report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients.
  3. The updated rules include changes to Form ADV Part 2A requiring advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
  4. The proposal also includes new recordkeeping requirements under the Advisers Act and Investment Company Act Rule 204-2 to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.

RELATED CONTENT → Security vs. Compliance: Differences & Similarities

What Can You Do to Prepare for RIA Cybersecurity Enforcement?

Here are some expert tips on being ready for enforcement when the changes go into effect later this year.

  •  Develop and Implement Policies and Procedures

RIAs and funds must create comprehensive cybersecurity policies and procedures to mitigate cybersecurity risks per the proposed rules. Keep in mind that these policies and procedures must be both compliant and actionable.

  • Conduct a Risk Assessment

Evaluate cybersecurity risks by identifying, categorizing, and prioritizing cybersecurity risks related to your systems and operations. By conducting an effective risk assessment, you’ll have the necessary information to develop compliant policies and procedures to combat potential cybersecurity risks.

  • Prepare for Disclosure Obligations

When it comes to disclosures associated with cybersecurity risks or incidents, develop procedures for clear, accurate, and timely disclosures to the SEC, clients, investors, and other market participants.

  • Continuity Planning

In the event of a cybersecurity incident, you must be able to maintain system operations. So, test your incident response and business continuity plans through tabletop exercises to ensure compliance with the requirements.

  • Reporting and Documentation

Employing a governance, risk, and compliance (GRC) solution will ensure you have well-documented evidence that your cybersecurity program is compliant.

In addition to ensuring that your firm will align with the changes, these suggestions are also considered best practices for mitigating the risks from data breaches and other cyber attacks. Following these and other practices makes good sense whether your firm is required to or not.

To learn more about GRC, download our free guide →  Understanding Governance, Risk Management, and Compliance for Financial Services.

By employing these practices, you’ll be ready for any forthcoming changes to cybersecurity regulations and well-protected against potential security threats. One solution for preparing now or later is to work with an experienced and knowledgeable IT service provider. An IT partner experienced with RIA firms, and one employing robust cybersecurity and compliance solutions can reduce the time and resources it takes to comply with and implement these and other cybersecurity compliance standards.

by
Data Loss Prevention

The Importance of Data Loss Prevention

We are all aware of the anxiety losing something can cause. If you’ve ever misplaced your wallet, you are aware of the lasting impact it has. First, you have to get in touch with your bank, then request a new license, and then update all your existing accounts with the new information when it arrives. Even after handling the seemingly endless immediate effects of the loss, the fear of what happened to your personal information may last a while.

Now imagine if you were an organization that lost hundreds of thousands of records containing personally identifiable information (PII) or intellectual property (IP). In 2022 alone, several major companies such as Uber and Rockstar Games have been affected by data breaches that have compromised large quantities of their stored PII.

Numerous factors, including internal and external threats, system flaws, or even human conduct, can lead to data loss. Whatever the source, your company can take steps to stop data loss, shorten the duration of the incident, and lower the overall cost to your organization. The SEC’s Office of Compliance Inspections and Examinations (OCIE) notes data loss prevention as a critical area in their Cybersecurity and Resilience Observations report.

What is Data Loss Prevention?

Data loss prevention (DLP) involves having systems, tools, policies, and training to prevent data from being misused, lost, or accessed by unauthorized users. Preventing data loss is especially crucial for businesses that handle sensitive information like personally identifiable information (PII), intellectual property (IP), and personal health information (PHI). IBM’s 2021 Cost of a Data Breach Report found that PII was the most common type of record lost, included in 44% of breaches. PII is also most costly type of stolen record costing businesses up to $180 per record.

For those in highly regulated industries, like financial services and life sciences, data loss prevention is required. Data management and security are crucial elements in FDA Title 21, CFR Part 11, HIPAA, Sarbanes-Oxley Act (SOX), FINRA, and SEC rule 17a-4. Keep in mind that many of these regulations require preventative measures, specific actions, and documentation in the event of a data breach.

The Cost of Data Loss

Whether you experience a data breach from an inside user or permanent data loss from a malicious attack, there are long term consequences. Decreased productivity, loss of consumer and investor confidence, legal fees, and remediation expenses are only a few of the costs. For many organizations, it can take years to recover from the damage. Unfortunately, some businesses don’t survive these costs and are forced to close.

Even if you experience a breach, having a data loss prevention strategy can reduce the costs. The average cost of a breach is $4.24 million. Data loss prevention can reduce the overall cost of a breach by $136,992, according to IBM’s 2022 Cost of a Data Breach Report.

Developing a Strategy

To meet compliance standards and secure your data, your organization needs to have a comprehensive security plan that includes preventative and responsive actions.

Develop Comprehensive Policies

When we think about cybersecurity and data protection, we often think of technology. Although technology is a significant factor in security, policies set the tone for the organization and provide guidance on which technology solutions are needed. A lack of policies and procedures can undermine even the best technologies.

Create an Asset Inventory

You can’t protect your data if you don’t know where it is. Develop an asset inventory that lists all your data, where it lives, and how it’s currently being protected. Be sure to note your critical assets and systems that would affect your business operations.

Assess and Treat Vulnerabilities

To understand how your organization could experience data loss, you need to be aware of what vulnerabilities exist in your environment. Establish regular, comprehensive vulnerability assessments and penetration tests to stay on top of your current weaknesses.

Create and implement treatment plans for discovered vulnerabilities, e.g., patch management schedule, awareness training, and comprehensive policies.

Implement Access Control

Determine paths of ingress and egress for sensitive information. Determine who has access to sensitive data and implement the principle of least privilege to ensure that access is restricted to only those that should have it. Ensure access and usage are audited. Implement appropriate restrictions and logging at all points of egress.

Conduct Security Awareness Training

Since human error remains among the top causes of data breaches, it’s essential to conduct quarterly or semi-annual security awareness training. Users who have received training are better equipped to spot harmful emails and phishing schemes. It also teaches them what steps to take if they have received this type of communication.

Implement Perimeter and Endpoint Security

Remote work is here to stay, and as such, the perimeter of your network is no longer limited to the boundaries of your office or data center. You need to ensure that you have total visibility into all incoming and outgoing network traffic, including endpoints. Implement firewalls, endpoint protection platforms, and email security. These tools will give your IT team or MSP the visibility they need to detect and respond to threats straight away.

Having a dedicated security team to actively monitor your environment around the clock allows them to respond quickly to suspicious activities occurring on your network.

Properly Dispose of Legacy Systems

Remove software that is no longer receiving security patching from the vendor. Ensure that all sensitive data is removed when disposing of outdated software and hardware. Use disposal or recycling vendors that provide a certificate of destruction.

Create a Backup and Disaster Recovery Plan

Unfortunately, even with the best security measures in place, data loss is still a possibility. That’s why you need to have regular and tested backups along with a comprehensive disaster recovery plan. A plan will help your organization maintain business continuity and compliance while addressing a disaster or breach.

Staying Compliant and Protecting Your Data

Data loss can have a significant and irreversible impact on your business. Data loss prevention is an essential component of your overall security posture. To maintain compliance, your organization must secure and monitor your data continuously. As the threat of cyber-attacks continues to grow, it can be challenging to balance security, compliance, and day-to-day support. Coretelligent can help to strengthen your cybersecurity posture and protect your data. You can learn more about what we offer, including cloud-based solutions, backup and business continuity services, IT planning and strategy, compliance solutions, and more here.

by
disaster recovery as a service

Disaster Recovery as a Service (DRaaS): Everything You Need to Know

Disaster Recovery as a Service (DRaaS)

The modern business runs on IT and data. Both underpin every business function and act as revenue generators. But as IT becomes more valuable to your organization, protecting your investment with backup and disaster recovery solutions like Disaster Recovery as a Service (DRaaS) becomes even more critical.

What is DRaaS?

Disaster Recovery as a Service is a flexible and robust cloud computing backup solution delivered with the ease of Software as a Service (SaaS). The SaaS approach means organizations have a reliable and flexible backup solution without the hassle of owning, maintaining, and managing those resources. Brien Posey sums it up best in Conversational Disaster Recovery as a Service, co-sponsored by Veeam, “DRaaS is essentially a subscription-based disaster recovery service.”

DRaaS differs from a traditional backup solution that merely creates a copy of an organization’s data. With DRaaS, in the event of a disruption, an organization can simply switch over operations to the cloud allowing for business continuity.

The best disaster recovery (DR) services and DRaaS providers make it simple and easy to maintain business continuity and ensure data loss prevention via file syncing for your systems. However, as business data can often be fragmented between different systems, applications, and IT infrastructure, extra attention to detail is required to prevent data loss and ensure operational continuity.

Even the most severe failure can result in minimal disruption if you have good continuity and recovery planning. DRaaS providers work with the most complex data sets, often within native or hybrid clouds, to ensure business continuity in the event of loss or failure of data and critical systems.

Expect the Unexpected

DRaaS can help protect your business from any number of threats, including:

  • Severe Weather

Because DRaaS is a cloud-based solution, you’ll be able to access your data from any location with an internet connection. If a natural disaster makes your office unusable,  your business can continue remotely.

  • Cybersecurity Threats

Data breaches are a major concern for businesses, and DR and DRaaS can help protect against them. Malware and ransomware are a particularly dangerous and prevalent threat, but human error and natural disasters can just as easily disrupt applications, workflows, and revenue production.

  • WFH Security

As remote working has become a regular part of business, DRaaS is powerful and flexible enough to handle the demands of the modern workplace.

The Importance of SLAs in DRaaS

The key element to any DR plan is will it work when needed. Best practices indicate that DR plans be tested every six months. Without that testing, there is no assurance that your organization can recover from an event. An experienced and comprehensive DRaaS provider will assist with DR testing and offer guarantees of successful testing along with solid service level agreements (SLAs) to back up their DR capabilities.

An SLA should clearly document the recovery plan’s RTO and RPO. A Recovery Time Objective (RTO) is the time that elapses between an incident and the resumption of critical business processes. A Recovery Point Objective (RPO) defines how much data it can afford to lose measured in time. These are essential metrics for any DR plan, and the SLA should be clear about how the DRaaS provider will ensure these standards.

How DRaaS Provides Ransomware Protection

With the rise of ransomware, businesses must implement a bifurcated cybersecurity model to ensure long-term resiliency. The first branch comprises a business’s security program to prevent cyber incidents. At the same time, the second branch consists of all company preparations for recovery if the cybersecurity program fails. Both must receive equal care and attention in their planning and execution.

DRaaS falls into the second branch. DRaaS can help recover from a cyber event quickly, including ransomware. When paired with Backup as a Service (BaaS), which focuses on preserving data, DRaaS can offer fast recovery for parts of the IT ecosystem that haven’t yet been affected by malware or ransomware.

Additional Benefits of DRaaS

  • DRaaS can free your internal IT team to focus on core operations and innovation.
  • In business, time is money, and DRaaS can shorten your recovery time in the event of a disruption.
  • DRaaS solutions are more cost-effective than fully in-house disaster recovery programs.
  • Since DRaaS is a cloud-based solution, you can run your business from anywhere–even in the event of a natural disaster.
  • By choosing a DRaaS provider, you benefit from their years of experience and knowhow. This assistance can help your company avoid costly DR planning, testing, and execution mistakes.

DRaaS: Reliability is the Goal

A good disaster recovery plan should ensure the data protection and continuity of your business, no matter the type of disruption. This planning requires both due diligence and dialogue with all stakeholders to ensure that nothing is overlooked.

In searching for a DRaaS provider, an excellent first step is connecting with trusted peers to inquire about their solutions, ask what lessons they have learned, and seek out recommendations for managed DRaaS vendors.

After gathering information from vendors, compare their expertise, benefits, and results. Most importantly, talk to your business’s leadership about disaster recovery. It’s a business decision, not one for IT alone.

About Chris

As Chief Technology Officer at Coretelligent, Chris Messer is a transformational and strategic IT leader who establishes and leads Coretelligent’s technical vision and technological development. Click here to learn more about Chris.

 

by
Backup files and data on internet with cloud storage technology that sync all online devices and computers with network connection, protection against loss, business person touch screen icon concept

The Importance of a Robust Backup and Disaster Recovery Plan

Are your backup and disaster recovery strategies robust enough to support your company in the face of a widespread disaster?

While many companies are asking that question over the past two years, being proactive about creating and maintaining a backup and disaster recovery plan isn’t a new concept for organizations.

Thousands of companies are faced with business disruptions on an annual basis due to natural disasters or other unexpected events.

The uncertainty of the world around us demands that IT and business teams work together to form a cohesive strategy that will help maintain consistent operations in the face of overwhelming odds and unexpected circumstances — the definition of a business continuity strategy.

Even if your company doesn’t currently have a plan in place, it’s not too late to review procedures and focus on the most important tactics in the event of extended interruptions to our daily lives.

Cloud-Based Backup Reduces Risk of Data Loss

Fully automated backup and disaster recovery solutions are available, but not all services are alike.

For instance, the CoreBDR solution from Coretelligent provides your organization with granular, fast and efficient backups that help reduce the risk associated with data loss when your staff members and contractors are working remotely.

This is a shift from backup strategies that have been employed in the past, which may require the physical presence of staff members onsite at a data center.

With automation supported by industry-leading software solutions and trained IT service providers, you gain an added peace of mind knowing that your business systems can be quickly restored or accessed remotely when needed.

Supporting Your Mobile Workforce

A crisis can change in days, leaving you with little time to purchase, provision and deploy a suite of devices to staff members in remote locations.

In this situation, it’s particularly critical to ensure that staff members understand the security principles needed for secure storage of company data and how to remotely access business applications.

Without access to company laptops or desktops that already contain solutions such as cloud-based data sync and direct connections to on-premise business applications and data, employees may resort to sharing directly from their personal machines or creating data connections that are less-than-secure.

Reduce this possibility by quickly rolling out standards and protocol for creating secure connections for a variety of different working configurations.

Protecting SaaS Data

There are companies such as Google and Microsoft that we can feel confident trusting that our business data will be fully protected in the event of a widescale disaster, but what about smaller SaaS providers?

Business data stored with mid-tier cloud software providers may also be at risk depending on the terms of your individual agreements.

Now is the ideal time to ensure that your digital assets are fully protected and that you will still be able to access vital structures and business systems during a protracted interruption in daily life — either for your company or that of your service provider.

While it would have been impossible to predict the coronavirus pandemic that swept the world, many of the strategies that you put in place with a traditional backup and disaster recovery strategy would translate well to this situation and future ones like it.

From protecting staff members and their personal information to ensuring that your remote access procedures have the highest level of security, IT teams are struggling to find their focus in this “new normal”.

Fortunately, the experts at Coretelligent have over a decade of experience working with organizations from a variety of industries to create proactive backup and disaster recovery strategies that can be quickly and securely executed based on the needs of your company.

Contact the Coretelligent team at 855-841-5888 or via email to info@coretelligent.com to schedule your complimentary initial consultation. You can also download a quick business continuity checklist or view our tips for working remotely

by

How to Effectively Assess Enterprise Backup Solutions?

How to Effectively Assess Enterprise Backup Solutions?Disasters and cyber-attacks happen, but data loss does not have to be inevitable. Data loss can be avoided or mitigated with a robust backup and disaster recovery solution (BDR). Surviving a catastrophic data loss event depends on choosing the right BDR solution. But you need to understand the critical components in order to successfully evaluate enterprise backup solutions.

What is BDR?

Comprehensive BDR solutions offer recovery options for various data loss scenarios. Determining the correct solution is a deliberate and tactical process that evaluates business data, applications, operations, and risk exposure.

Solutions often include a hybrid of daily backups and more frequent replication of virtual servers to a secondary storage site for rapid recovery. They may also include cloud-to-cloud (C2C) backup, especially for companies that use SaaS applications like Microsoft365. Daily backups provide long-term recovery capabilities. While backup replication allows for the rapid failover of business operations to a disaster recovery (DR) site.

At this point, it’s important to point out the pitfall of relying on a primary cloud provider as a backup source for your data. Several of the larger cloud services note that they are not responsible for maintaining the integrity of data stored on their systems. Instead, it is critical to choose a BDR partner with an appropriate backup and disaster recovery solution. A true BDR solution involves more than just having a second copy of your data. A BDR process ensures that your data is redundant, accessible, and viable.

What Does a Secure BDR Solution Encompass?

Every company has its own set of data recovery requirements. Therefore, recovery point objectives (RPOs) and recovery time objectives (RTOs) will vary. RPOs identify how often data should be backed up or replicated. In contrast, a RTO describes how quickly data can be recovered.

Furthermore, regulatory or compliance standards must be evaluated to see whether they have any consequences for data security. For example, financial services and life science companies are subject to stringent rules regarding the protection of digital assets.

Another necessary element in a data backup and disaster recovery strategy is developing and documenting a BDR plan. A BDR plan includes procedures for recovering data and systems, testing and validation methods, and identifying essential recovery personnel. This plan is crucial to ensure business continuity.

A final must-have component for any BDR plan is testing the recovery process regularly. Any difficulties or failures discovered throughout the testing process can be recorded and analyzed for modifications to the BDR strategy. In addition, test laboratories can be set up within a “sandbox” environment to minimize disruption to the manufacturing environment.

The ABCs of BDR WhitepaperWhite Paper Download

The ABCs of Backup and Disaster Recovery (BDR)

This white paper explains how data loss occurs, how backup and disaster recovery (BDR) works and helps you understand what to plan for and how to evaluate your BDR solution.
Free White Paper Download

Three Core Principles

Whatever your BDR strategy entails, it should provide the core values of scalability, reliability, and resiliency.

  • Scalable BDR solutions expand as your business grows without exceptional effort by your team.
  • Whether on-premise or a cloud backup, a reliable solution is fully redundant and accessible from any physical location.
  • Resiliency requires protecting data from ransomware attacks and other threats.

Advanced recovery solutions take a multi-pronged approach in managing risk, including a dedicated team of professionals available for client support.

A Trusted BDR Partner

CoreBDR, Coretelligent’s fully managed backup and disaster recovery solution, meets the data protection requirements of the digital enterprise. CoreBDR offers secure, high-performance, cloud-based backup and restoration to deliver operational resiliency to your organization. CoreBDR is available for organizations with on-premise infrastructure and cloud environments and can be customized to fit your business operations. Our expert team has deep experience delivering to clients of all sizes in financial services, life sciences, and other industries.

by