Leave a comment

New York Planners: Time Is Running Out for Your Firm to Qualify for The NYDFS Cybersecurity Regulation Limited Exemption

Under the new NYDFS cybersecurity regulation (23 NYCRR Part 500), any individual operating with a license, registration, or similar authorization under New York banking, insurance or financial services is required to assess their security risk profile, design a cyber program that addresses their risks and file an annual certification that confirms they are in compliance with regulations.

September 27, 2017 is the deadline for filing your Notices of Exemption and failure to do so on time will cost your firm thousands if it would have qualified for the Limited Exemption.

You may qualify for a limited exemption if you meet any one of the following (the following information is from the New York Department of Financial services and is available here):

Section 500.19 (a)(1): Have fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity

Section 500.19 (a)(2): Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates

Section 500.19 (a)(3): Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted principles, including assets of all Affiliates

Section 500.19 (b): An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need to develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity

Section 500.19 (c): A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this Part

Section 500.19 (d): A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part

To file for an exemption: log into the NYDFS Portal and file. Save the email you receive after filing for evidence.

Key Dates Under New York’s Cybersecurity Regulation (23 NYCRR Part 500)

 Here are other important dates to know when it comes to the new regulation (the following information is from the New York Department of Financial services and is available here):

  • March 1, 2017: 23 NYCRR Part 500 becomes effective.
  • August 28, 2017: 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • September 27, 2017: Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
  • February 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018: One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018: Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019: Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

If you need assistance filing for an exemption, Financial Computer is providing complimentary assistance for FPA members. Click here to schedule some time with one of our cybersecurity experts.

Brian E
Brian Edelman is a cybersecurity expert and the CEO of Financial Computer, Inc., a company that provides cybersecurity, integrations and IT support to the financial services community.

 


Leave a comment

8 Cybersecurity Best Practices

White Paper 3.jpgWhen it comes to cybersecurity breaches, there’s good news and bad news, according to the latest whitepaper from the FPA Research and Practice Institute™ and TD Ameritrade Institutional.

The good news is only 4 percent of firms surveyed experienced a security breach. The bad news is that while larger firms tend to experience more data breaches, smaller firms are increasingly being targeted.

But the whitepaper titled “Cybersecurity: Current Threats and Risk Management” offers readers a list of things to do to mitigate risk.

1.) Create a map of what should happen in the event of a security breach so that your entire team is on the same page.

2.) Update all email systems to limit potential for phishing attempts.

3.) Frequently scan for potential vulnerabilities. Scan more often than just quarterly or even annually to ensure your company and client data isn’t compromised. It may cost more now, but it will pay off in the long term.

4.) Brush up on your basics. Make sure you and your team both know what things make your data vulnerable and ensure that you’re not doing them. Read our last blog on for some tips on how to keep your firm safe.

5.) Ensure all your and your employees’ mobile devices have safeguards to protect any data that can be accessed on them. Ensure that sensitive data is erased form these devices should an employee leave or get a new device.

6.) Ensure only company-issued hardware and devices are accessing your company network.

7.) Identify what data must be encrypted and properly encrypt any sensitive data that is sent via email.

8.) Do not use personal email accounts for business. Create and enforce a policy that prohibits or limits employees from using personal email for work-related correspondence.

Download the full whitepaper here. Find the full cybersecurity research report, along with the other whitepapers on the topic here.

 


Leave a comment

9 Cybersecurity Tips to Keep Your Firm Safe

If somebody walked up to you and asked for your house keys, you wouldn’t give them away. But when somebody asks for our key identifying information on the Internet, most of the time we willingly hand it over. That’s what representatives from SeeGee Technologies Inc., a next-generation technology solution provider, told FPA staff at a recent cybersecurity training.

You may think that just because you have a small firm, cyber criminals don’t have any interest in you, but that’s not true. In fact, you are their portal into bigger pools of information. And your employees could unknowingly be putting you and your clients at risk each time they access sensitive information over unsecure connections.

“No individual or business is safe,” said Daniel Lakier, chief technology officer for SeeGee.

Always exercise common sense and responsibility when using the Internet and apps—don’t click on pop-ups, don’t click on links to track packages you aren’t expecting, and don’t provide personal information to hackers posing as your bank.

Here are some tips to keep your personal information and your firm’s information safe:

  1. Establish strong passwords and update them every 90 days.
  2. Don’t download email attachments you aren’t expecting and beware of emails telling you to download software to fix problems.
  3. Install anti-virus and anti-spyware programs on all devices before connecting to the Internet.
  4. Install and use a firewall on every device.
  5. Have physical access controls for all your devices.
  6. Backup all important data daily.
  7. Keep your software updates for browsers and operating systems current.
  8. Limit access to sensitive and confidential data and don’t ever access it on unsecure connections.
  9. Get technical expertise when needed.

For more information, visit seegee.com. Find more tips on cybersecurity from the FPA Research and Practice Institute™ here.

anaheadshot

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.

 


Leave a comment

Cybersecurity: Preparing Your Team

2016Cybersecurity_Whitepaper2_V5.inddCybersecurity is high on advisers’ priority lists.

In a white paper released by the Financial Planning Association and TD Ameritrade Institutional found that 81 percent of advisers say cybersecurity is high or very high among their firm’s priority list.

But there is a gap when it comes to providing mandatory training for staff. The white paper, titled “Cybersecurity: Is Your Team Prepared?” reported that 11 percent of firm CEOs “completely agree” that their team is fully aware of what would be required to adhere to guidelines set out by the Office of Compliance Inspections and Examinations (OCIE). And only 44 percent of firms with more than one team member provide mandatory training for employees.

But finding the right training for you and your staff is the ticket to closing that gap and safeguarding and preparing your firm for cyber attacks.

The white paper reported that the average team member receives less than two hours of cybersecurity training per year. But it offered some steps to take action on training.

  1. Define clear goals when it comes to cybersecurity. Keep the OCIE requirements as well as the goals of your team in mind during training.
  1. Define team expectations in relation to those goals. Be clear and concise in communicating your expectations.
  1. Gather input from the team. What questions or concerns do your team members have when it comes to cybersecurity?
  1. Conduct anonymous internal assessment. Find out what your team knows and understands regarding OCIE requirements and cybersecurity.
  1. Identify gaps. Focus your training on closing these gaps.
  1. Create training process. Determine how often, whether its mandatory and how you will deliver training, among other things.
  1. Summarize training process. Summarize the process on a single page so you can tell your clients what you are doing.

For a full sample assessment recommended in step No. 4, download the full white paper here.

AnaHeadshotAna Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.

 


Leave a comment

Be Proactive about Cybersecurity

Your clients are concerned about cybersecurity.

A recent study by Kaspersky Lab, a global cybersecurity firm, found that 65 percent of consumers worry about the cybersecurity practices of companies that have their personal and financial information. And yet the first of three white papers by FPA Research and Practice InstituteTM, “Cybersecurity: Client Perception and Communication,” sponsored by TD Ameritrade Institutional, found that only 11 percent of financial advisers surveyed think clients are “very worried” about this issue.

Regardless of perception how many clients may or may not be worried about cybersecurity issues, cybersecurity risks to advisers and their client are real. The FPA white paper offers the following steps to be more proactive:

  1. Conduct a team meeting. In this meeting, ask employees what their experience has been and whether they’re hearing concern from clients.
  1. Gather data. Find out specifically what clients are concerned about. A survey might help with this. Doing so will help you determine what gaps exist between what your clients are worried about and what you are doing to mitigate their worry.
  1. Decide your role. Determine whether you want to reach out to clients proactively and tell them what your game plan is in case a breach exists, or reach out reactively.
  1. Map out communications plan. Figure out what you’ll say over multiple channels because one form of communication won’t be enough. You’ll need to communicate through emails, blog posts, articles, conference calls, etc.
  1. Focus on consistency. Make sure every staff member is relaying the same message to clients. Ensure all team members understand the issue.

Download the first of three white papers, as well as the full, original study at www.OneFPA.org/cybersecurity.

 

AnaHeadshotAna Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.

 


Leave a comment

There’s Work to Be Done, says Cybersecurity Report

FPA_2016Cybersecurity_Report_R7.inddA day doesn’t go by when there’s not some attempt to hack personal information, Bryan Baas, the managing director of risk oversight and control for TD Ameritrade Institutional said at press conference at FPA BE 2016.

Baas was speaking on the results of the “Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment” study conducted by the FPA Research and Practice Institute™ and sponsored by TD Ameritrade Institutional.

Advisers are well aware of the issue and 81 percent of those surveyed say it is a high priority for them. But despite this, less than half of the advisers surveyed don’t understand the risks and how to mitigate them.

“Cybersecurity is with us every, single day,” Dan Skiles, president of Shareholders Service Group and a member of the FPA Board of Directors said. “It is something advisers need to worry about today, tomorrow, 10 years from now.”

The report found that there are several areas where advisers can improve in terms of establishing and implementing documented policies and procedures.

When it came to governance and risk assessment, 57 percent of the 1,015 survey participants had documented policies and procedures in place; 59 percent had them in place for access rights and prevention; 58 percent had them for data loss prevention; 51 percent had them for vendor management; and 43 percent had them for incident response.

Simply becoming aware that there is work to be done is an important first step.

untitled-7041What Can Planners Do Now
It doesn’t have to be so complicated, said Brian Edelman, CEO of Financial Computer Services, Inc.

Become aware. Become aware of what components you need to be looking at. Take an inventory of your data and do some risk assessment, which is similar to what you do with your clients.

Know that if there is a breach, you are responsible for notification. It’s embarrassing and distracting to have to tell all your clients there has been a breach, but the rule is clear that you must be the one to notify the clients.

If you have plans in place, practice them once. Ensure that your team is aware of what to do in each type of event that could possibly occur.

Give your clients tips to stay safe. Oftentimes, a breach that happens to you happens because one of your clients was hacked. So give them tips to employ tools like dual-factor authentication on their Gmail accounts.

Vet your vendors. You’re trusting these third-party technology companies with your information, so ensure that they are safe themselves. Visit their offices and see how they work and ensure they’re doing all they need to do to keep you safe.

These things might be a pain, but they’re necessary steps to ensure yours and your clients safety.

“What is an inconvenience to you is most likely a roadblock to the bad guy,” Baas said.

Three upcoming whitepapers will be released by The FPA Research and Practice Institute™ and TD Ameritrade Institutional that will give advisers information on the following topics: how advisers are communicating with clients regarding cybersecurity; how advisers are training their teams on issues related to cybersecurity; and what tools and technology (and its associated costs) advisers are using to protect their business.

For the full study, visit www.onefpa.org/Cybersecurity.

AnaHeadshot

 

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.


Leave a comment

Step Up Cybersecurity

As planners incorporate more technology into their offerings to clients, it’s imperative they stay on top of their cybersecurity measures.

“Cybersecurity is a major issue for financial planners in today’s highly technical, digital world,” writes Ben Lewis, FPA’s public relations team leader on an FPA Connect post calling for participants for a cybersecurity assessment that has since ended.

Anthony Stitch explains in the forthcoming August issue of the Journal of Financial Planning that planners who don’t provide the technology clients want these days may lose those clients to firms they like less but that offer the technology they prefer. This, he writes, is called digital attrition. Members, you’ll get to read the full article when it comes out. And if you’re not yet a member, maybe now is the time. Learn more here.

“As you incorporate more technology into the running of your firm, it’s important that you stay educated on best practices for cybersecurity,” Blane Warren, an industry leader in financial services marketing, compliance, and technology, writes on XY Planning Network’s website.

But planners this move toward providing more technology options means planners need to step up their cybersecurity game in order to keep their clients and themselves safe. Something they’re not currently doing very well, according to a report from External IT titled “Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Frim Ready?”

InvestmentNews reports that that report found three key areas were lacking in terms of financial cybersecurity: security policy, firms failing to audit their IT security; accountability when moving data, moving data to personal and home devices without tracking measures; and disaster recovery, not having emergency business continuity plans.

This isn’t to say that planners don’t want to address cybersecurity issues, rather they don’t know where to go to get their information, Brian Edelman, chief executive of Financial Computer Services told InvestmentNews.

Edelman recommends using a cybersecurity firm that understands financial services.

In a recent article, ThinkAdvisor recommended planners check out the following resources: National Institute of Standards and Technology (nist.gov) and the Financial Services Information Sharing and Analysis Center (fsisac.com).

AnaHeadshot

 

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.