The financial services industry is a prime target for cybercriminals. Though there are many different types of cyberattacks that could impact your business, software supply chain attacks are poised to become one of the biggest cyber threats to organizations in the coming years.

A supply chain attack is a specific type of cyberattack where your system is infiltrated through a third-party vendor, such as your financial planning software, computer system monitoring platform or phone system provider.

In a highly targeted industry like financial services, it is crucial that you work to protect your firm from these types of cyber threats. The below information security best practices can help you mitigate risk and strengthen your cybersecurity posture.

Evaluate Your Third-Party Provider’s Cybersecurity Position

Before you partner with a third-party provider, it is critical to conduct due diligence to ensure that the vendor is a good fit for your firm. A key component of that due diligence is having a thorough cybersecurity questionnaire.

Many established vendors will have a Security Statement prepared that they will share with you when asked about their security policies. Their statement may cover most, or even all, of the topics that a typical cybersecurity due diligence questionnaire would ask about. However, it’s a good idea to have a questionnaire prepared in the event your vendor does not have a Security Statement or it doesn’t provide all the information you’re looking for.

Here are six questions you should include in your cybersecurity due diligence questionnaire and what you should expect from your provider:

1. Are there internal security policies and procedures in place?

A formal information security program is a must. You should be looking for your vendor to have an Information Security Plan, an Incident Response Plan, and a Business Continuity/Disaster Recovery Plan that are regularly reviewed and updated.

2. What types of security risk assessments, penetration testing, and vulnerability scans do you conduct, and how frequently are they conducted?

Regular assessments and testing will ensure that your vendor knows how secure their environment is and can identify any weaknesses that need to be rectified. These types of assessments and tests should be conducted on at least a yearly basis.

3. What user authentication and technical prevention measures do you have in place?

Some of the measures your vendor may be using to keep their network secure include multi-factor authentication, firewalls, endpoint security products, data loss prevention, and intrusion detection/prevention systems.

4. How is data protected when in transit between the vendor and the user? How is data protected on servers and backup media?

You should expect for data to be encrypted both in-transit and when at-rest. This helps ensure that sensitive data and private information is hidden from and inaccessible to unauthorized users.

5. Are employees and contractors required to complete regular data privacy and security training?

Security awareness training should be a key component of any organization’s information security plan to limit the human errors that can lead to security issues.

6. What due diligence is performed on contractors and vendors?

Just like you’re performing due diligence on your potential vendors, your vendors should be performing due diligence on their own vendors to ensure that their environment stays secure.

While you can’t control the security of your third-party providers, performing a detailed assessment will help you understand their cybersecurity environment and evaluate the risk of partnering with them.

Keep in mind that different vendors will pose different levels of risk to your organization. How critical they are to your business, their access to sensitive data, and their susceptibility to disruptive events, such as natural disasters, are all factors that contribute to the level of risk a vendor presents.

You should exercise the greatest cybersecurity due diligence with the vendors that have the highest levels of access and importance to your business, such as your financial planning software solution. It is also important to reevaluate the cybersecurity position of these high-risk vendors on an annual basis. Cyber threats and their defense methods are constantly evolving, so cybersecurity programs need to evolve along with them.

Bolster Your Firm’s Cybersecurity Program

While it is important to ensure your vendors have a sufficient cybersecurity program, your own cybersecurity program is just as important. One of the best ways to protect your firm against the threat of supply chain attacks and other cyber threats is to establish formal policies and follow cybersecurity best practices. Many of the strategies you will want to put in place at your own firm are the same practices you will be looking for in your third-party vendors.

Create a Formal Information Security Policy

Your first step in protecting your firm is to develop a cybersecurity strategy and implement formal policies that, at minimum, meet SEC cybersecurity requirements for financial services companies and FINRA’s guidelines. A comprehensive cybersecurity policy will document how your firm will prevent, detect, and respond to cybersecurity threats.

Exercise Safe Technology Practices

Ensure that you have the basics covered, including implementing and maintaining up-to-date firewall and endpoint protection. Other things you can do include ensuring automatic updates are enabled and using a password management system or password safe to create and store randomized passwords.

Implement Multi-factor Authentication

Multi-factor authentication is a security technology that requires the user to provide two or more verification factors to gain access to a system. Along with your username and password, most multi-factor authentication systems require you to enter a one-time pin code that you receive via email, text message, or a mobile app. This ensures that even if one credential is compromised, the unauthorized user will not be able to meet the second authentication requirement and access your system.

Share Sensitive Data and Documents Securely

Special care should always be taken when sharing sensitive information via email. If you need to send this type of information over email, encrypt the data via email services or encrypted archives and share the password through a different communications method such as over the phone or in a text message. Utilizing a secure file transfer solution is another simple and secure way to share information.

Proactively Educate Your Employees

People consistently play a large role in successful cybersecurity breaches, whether that’s due to stolen credentials, an employee falling victim to a phishing email, or a simple human error. Educating yourself and your employees about cyber threats, how to recognize them, and how to react to them should be a critical part of your cybersecurity program. Implementing phishing exercises with the help of your cybersecurity team can help employees put what they’ve learned into practice.

Develop a Security Statement

Just as your vendors’ cybersecurity programs are a concern for you, the strength of your cybersecurity program may be of concern to your clients. Consider writing a Security Statement that you can share proactively to help alleviate any concerns your clients may have.

Protect Your Firm by Remaining Vigilant

Keeping your firm safe from supply chain cyberattacks and other types of cybercrime is an ongoing process. As cyber criminals evolve their methods and launch more sophisticated attacks, it is more important than ever to stay up to date on cybersecurity best practices.

By staying vigilant, maintaining a cybersecurity program that includes vendor due diligence, and regularly reviewing your policies and procedures, you can help ensure that your firm is managing your clients’ finances safely.

Learn more about additional steps you can take to strengthen your firm’s cybersecurity position and help your clients protect themselves.

DISCLAIMER: The eMoney Advisor Blog is meant as an educational and informative resource for financial professionals and individuals alike. It is not meant to be, and should not be taken as financial, legal, tax or other professional advice. Those seeking professional advice may do so by consulting with a professional advisor. eMoney Advisor will not be liable for any actions you may take based on the content of this blog.

You may also be interested in...