Which cyberattacks could hurt your Registered Investment Advisor (RIA) Firm? The truth is, any and all cyberattacks could hurt your firm. So what can you do about it? Simply being aware is the first step, so let’s dive into the top 6 cyberattacks that could hurt or simply ruin your RIA firm.
These types of articles always seem to start with phishing. Why is that? Phishing emails work! As part of our RIA cybersecurity service, we send phishing simulation emails to clients and users click (fake) malicious links all the time. And no, we don’t send insensitive ‘claim your bonus’ phishing emails like GoDaddy!
Phishing is the #1 cause of data breaches. It’s one of the most common ways for criminals to steal money or data. Attackers can trick you into giving up social security numbers, financial account numbers or login credentials.
Phishing emails often tug at your emotions and create a sense of urgency (which is why COVID-19 related phishing emails were so effective!)
Learn more about the SEC cybersecurity guidance on Phishing in our article: SEC Cybersecurity Guidance: Phishing
In September 2020, the Office of Compliance Inspections and Examinations (OCIE) released a risk alert about credential stuffing.
Credential stuffing is an automated attack, where hackers get usernames, passwords and email addresses from the dark web and then use automated scripts to use the credentials on other websites.
The most important thing you can do right now is make sure you use multi-factor authentication (MFA) wherever you can. This makes it that much harder for cyberattackers to access your accounts.
According to a 2018 study by Opus and Ponemon which involved 1000+ CISOs in the US and UK, 59% of companies said they have experienced a data breach caused by one of their vendors. Big companies like Target and Home Depot have experienced the pain of third-party breaches. And these types of attacks can impact RIA firms too.
You need to take the time to audit your vendors. You are only as strong as your weakest link, and if your third-party vendor has weak security, so do you.
We recommend a third-party vendor risk management process like this:
If you need more details on the points above, check out our article: Third-Party Vendor Risk Management: A How-To Guide.
Ransomware is not just a ‘big company’ problem. It is hitting companies of all sizes, and when it hits, you need to be prepared. This is a cyberattack that RIA firms need to learn about.
Ransomware is a form of malware that encrypts and holds your data hostage until you pay the ransom. You can lose downtime, money or data as a result. Bitdefender indicates a 715% year over year increase in ransomware-related scams. That’s huge!
Your users need to know common signs of ransomware:
Your users should also know how to respond to ransomware:
Finally, your users should know how to prevent ransomware attacks:
To learn more about ransomware and the bullet points outlined above, check out our articles:
Generally, employees are called the ‘weak link’ in cybersecurity. And it makes sense. You can spend tons of money on systems and security services, but at the end of the day, it’s human error that can cause breaches. An employee could click on a phishing link, lose their laptop or accidentally share the wrong documents.
But instead of looking at your employees as weak links - look at them as your last line of defense against cyberattacks. Empower them with proper cybersecurity training and create a culture that encourages learning and sharing.
We recommend sharing this article with your employees, so they can explore more about phishing, ransomware and the other top cyberattacks that RIA firms face every day.
Client cybersecurity is critical for your business. Your RIA firm can take all the steps towards proper cybersecurity practices, but if your client’s email or computer is compromised, it could impact your business in a bad way.
Here are some of our favorite tips to share with your clients:
Can you ultimately 100% prevent these RIA cyberattacks from happening? Unfortunately, the answer is no. But that doesn’t mean you can’t take action. And if you’re working towards complying with SEC cybersecurity guidance, you NEED to take action. So what can you do?
Adeila Risk provides cybersecurity protection exclusively for small, high-value companies in highly-regulated industries like financial services. Our cybersecurity service is the one-stop-shop for everything you need, customized for your firm!
Schedule a strategy session to get started: https://adeliarisk.com/sec-cybersecurity-strategy-session/