Gone are the days of the rotary phone. Data is immensely portable. As we — individuals, consumers, corporate employees, investment advisors and financial investors — continue to rely on our mobile devices for everything, the level and amount of sensitive data that is stored on our mobile devices continues to increase. All of this use leads to a rising need and demand for heightened mobile security via mobile device management (MDM). Cybersecurity Risk Management MUST include Mobile Device Management. The SEC Cybersecurity Guidance points to this need.
The SEC Cybersecurity Guidance (as published by the OCIE) isn’t prescriptive about mobile use, or the specific tools that you need to keep mobile devices secure. We haven't seen any enforcement actions specifically around mobile devices either.
However, in the 2017 Risk Alert: Observations from Cybersecurity Examinations, the SEC very clearly calls out the need to have controls over mobile devices. As they observed a wide swathe of Registered Investment Advisor Cybersecurity Programs, they noted that the most secure investment advisors:
"Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications."
The goal of this article is to fill in some of the blanks about cybersecurity risks with mobile devices. As you consider cybersecurity threats in your own firm, mobile device risk is definitely an area you need to consider.
In order to meet the cybersecurity needs of the industry, many tech companies (including big names like Cisco, SAP, Microsoft, and Samsung) currently offer comprehensive MDM products and solutions that are designed to monitor, manage, and secure employees' mobile devices.
Wealth management firms who turn to MDM solutions typically do so for three reasons:
Here’s a real world scenario. You give your employees access to your company email via their smartphones. If you’re like most companies, you probably let them use their personal devices.
But what happens if someone leaves? Worse yet, what if it’s a bad termination? How do you make sure that they can’t use the data on their phone to cause harm to the company?
Even in the rare case that employees are allotted separate personal and business devices, most companies know that it’s common for employees (and senior management!) to end up mixing their business and personal device use. Employees check their work email on their personal device or send personal messages from their work devices. This continues to be a cybersecurity liability that should be avoided at all costs. Even company-owned phones need to be managed.
As the SEC cybersecurity guidance has not been prescriptive on specific measures, we’ve put together a number of recommendations for what to look for that should get you started on considering the risk factors and choosing your MDM solution.
It’s important to note that Mobile Device Management started as a solution focused on smartphones and tablets, but most major vendors now offer features to control mobile computers (e.g., Windows or Mac laptops) as well.
How do you choose a Mobile Device Management solution that’s right for your business? There is much to consider. (Remember, we're trying to meet the SEC Cybersecurity Guidance as a common sense route to ACTUALLY securing our firm's data and our customer's data.) What all of these solutions SHOULD be providing:
Different devices have different configuration options. Here are some of the most common:
Be sure the system you select can:
In addition to the list above, many Mobile Device Management systems now also offer a number of options that allow for remote control over devices. Think of the ability to locate lost devices! There are geofencing capabilities and related automated alerts that can automatically provide alerts if/when company devices travel outside specified geographical boundaries. These can be especially helpful for companies that have a lot of employees that regularly travel for business and may have a higher level of cybersecurity risk and incidents with their mobile devices.
The SEC cybersecurity guidance is clear that mobile data management needs to be prioritized as part of your cybersecurity risk management. The MDM solution that you choose for your business should depend on a number of factors including the level of control that you need to have over your devices, the types of devices that your company is using (Mac vs. Windows, iOS vs. Android), and how user-friendly the solution is for your system administrator/IT Team to set up and maintain.
In the end, your goal is to prevent mobile device-related cyber incidents. Of course, every firm should strive to be compliant with the guidance from the Securities and Exchange Commission, but the cyber threats posed by mobile devices pose a very real risk to your firm.
As you move forward, the one thing you have to be honest about is your bandwidth.
Do you actually have the time to handle this for your firm?
If you do, and want to dive deeper, learn more about our approach to delivering robust cybersecurity for registered investment advisers by downloading our whitepaper “How Successful RIAs Handle Cybersecurity.”
In the paper, you’ll learn about our 21 Pillars of Cybersecurity — 21 things that all registered investment advisors need to have in place to keep client data safe and to comply with cybersecurity guidance.
If you don't have the bandwidth, then it is time to bring in a team who does…– AdeliaRisk.