Zero Trust Cybersecurity Approach – Protecting Your Firm, And Your Clients

Four Crucial Pillars for Your Cyber Program

In 2021, the FBI’s Internet Crime Complaint Center reported that they had received 847,376 complaints related to cyberattacks – an all-time high for the organization. These attacks resulted is over $6.9 billion in losses for the victims.¹

Cyber criminals are becoming increasingly sophisticated. How can RIAs help ensure that their firm and their clients are safe from this growing threat?

To start, advisors should consider adopting a zero-trust approach to cybersecurity.

Zero-Trust Cybersecurity Approach

A zero-trust cybersecurity approach is simple: verify first, then trust.

As cyber attacks evolve and take on new forms, it’s impossible to predict how bad actors will try to infiltrate your systems.

With a zero-trust approach to cybersecurity, firms consider a broad range of factors to be potential threats until proven otherwise. By adopting this approach, RIAs can help prevent cyber attacks and ensure access to their data and information is only available to individuals and systems that have been reviewed and approved.

These factors that are considered potential threats under a zero-trust cybersecurity approach fall into four main categories: software, users, endpoints, and networks.

• Vendor Risk Management – ensuring third-party vendors follow their own comprehensive cyber policies, including RIA custodians.
• Software Hardening – reducing areas within RIA software that could be subject to cyber-attacks (i.e., removing inactive user profiles, cutting down technology stack to remove unused capabilities).
• Restricted Websites and Software – only allow company access to websites and software that are reviewed and trusted.
• Data Exfiltration Protection – ensure all exported data is restricted and trackable, including data exported by RIA team members (emails and technology user logins can be compromised).
• Web App Security Gateway – on-site or cloud-based programs designed to protect users from malicious websites and software; these programs review pages and software before enabling access for users.

• Identity Management – ensure only authorized personnel have access to RIA technology and data.
• Password Management – strong password policies can make a big difference in protecting firm data; consider leveraging pass phrases (longer passwords formatted as phrases or sentences that can be easier to remember but difficult to hack).
• Single Sign-On – when available, integrate approved technology providers with single sign-on to limit opportunities for malicious actors to steal password information and gain access to firm data.
• Multi-Factor Authentication (MFA) – all RIA technology should leverage multi-factor authentication, wherein a correct password will trigger additional forms of verification for the user (confirmation codes sent over text/email, face ID verification over an app, etc.).

• Cyber Settings – as part of a firm’s cyber program, technology endpoints should have their own cyber settings (i.e. cyber protection within firm computers, restrictions on computer updates/downloads).
• Full-Disk Encryption – all data held on RIA firm endpoints should be encrypted; if a device is lost or stolen, this helps to ensure malicious actors cannot access the data held on the devices.
• Anti-virus, Anti-Malware & Ransomware – implement solutions to help monitor and prevent access for viruses, malware, and ransomware.
• Endpoint Detection & Response (EDR) – leveraging an EDR technology solution can help RIAs monitor attacks on firm endpoints to ideally prevent damage/theft before it occurs.

• Firewall Hardening – similar to software hardening, firewall hardening is the reduction of areas within a firewall which could be vulnerable to an attack (limiting entrances to the firewall).
• Secure Remote Communication – consider establishing a VPN or other network service to ensure all company communications remain within the company network and are inaccessible to unapproved third parties.

Implementing Zero-Trust – Get Started Today

Implementing a zero-trust cybersecurity approach involves a number of moving parts – it’s important to get started now to help ensure your firm is prepared to handle expanding threats and comply with evolving regulations.

Cybersecurity can be difficult to understand, let alone manage. That’s why TradePMR has commissioned industry veterans Joel Bruckenstein, Technology Tools for Today, John O’Connell, The Oasis Group, and Brian Edelman, FCI, to develop a cybersecurity white paper.

The white paper dives into regulatory history surrounding cybersecurity, tips on how to build an effective cyber program, and ways RIAs can prepare today for new and expanding compliance requirements.

Alongside the white paper, we have also developed a worksheet which outlines common cybersecurity problems and how RIAs can implement a program that satisfies compliance requirements and meets cybersecurity goals.

If you’d be interested in speaking with the TradePMR team about how we approach cybersecurity, and if our RIA-centric service and technology could be a fit for your firm, we should talk.

We can dive into your needs and if TradePMR could help your RIA grow and thrive.

¹ FBI Internet Complaint Center 2021 Internet Crime Report

This material is not intended to be relied on as investment advice and does not constitute a recommendation of any particular investment or investment strategy or an inducement to buy or sell any securities. The opinions expressed herein are those of the authors and do not necessary reflect the opinion of Trade-PMR, Inc. Any opinions expressed are as of the date of this publication and are subject to change, without notice. Any reliance on the information herein is done solely at the discretion of the reader.

Joel Bruckenstein, Technology Tools for Today, John O’Connell, The Oasis Group, and Brian Edelman, FCI are not affiliated or associated with Trade-PMR, Inc.