This is the second installment in our continuing series on cybersecurity and fraud. You can read Part I by clicking here.
Have you ever received a letter from a company informing you that your private data may have been compromised?
If so, it should come as no surprise that companies can be the victims of cybercrime too. Companies are typically richer targets for cybercriminals. Businesses are not just protecting the company’s data but their clients’ data too. A successful cybersecurity breach in a company can compromise a far larger amount of data than personal breaches. The consequences of a successful breach of a company often include financial losses, disruption to operations, and damaged reputation.
Because companies are increasingly the target of cybercriminals, they should have cybersecurity systems in place to protect themselves and their clients. As clients you should question their cybersecurity practices and ask what steps they take to guard your data. You should do your due diligence before handing over your personal data.
At Level Financial Advisors we are committed to safeguarding the confidential information of our clients. As part of that commitment our company has a robust cybersecurity program. These are just a few of the practices we have in place to safeguard your data.
Annual Risk Assessment
If you were going to cross a bridge over treacherous waters, wouldn’t you want the reassurance that the bridge has been inspected for structural weaknesses and repaired?
Level Financial Advisors completes an extensive Annual Risk Assessment based on the NIST cybersecurity guidelines, widely considered one of the more rigorous standards in security. The purpose of the assessment is to identify current and emerging risks, then take action to minimize or eliminate those risks.
Incident Response Plan
In case of fire, please break glass!
Most people have probably experienced a fire drill or have a plan for an emergency. We think through what our priorities are; calling emergency services, saving the people, pets, and important documents. Lives can be saved when there is a plan in place for emergency situations.
Level Financial Advisors maintains a cybersecurity incident response plan, which is designed to prepare our staff to quickly and efficiently handle any cybersecurity events. The plan includes four areas: Triage, Analysis, Recovery, and Communication. Our initial priority in a cybersecurity event is to stop the attack (aka put out the fire). Then we perform analysis of what happened while we work on getting back up and running. Once we understand what happened our plan is to put in place corrective and preventive measures. And finally, we have processes for communicating with impacted clients, the authorities, insurance, and vendors.
Proudly, our company has never had to implement our incident response plan, but it is there if we need it.
Vendor Due Diligence
How well do you really know the companies that provide you with services?
That’s a good question for individuals but it’s a great question for companies. Companies are not monoliths. Most companies do not build their own software or server farms. They often outsource specific tasks to other companies with expertise. You wouldn’t necessarily want your bank to be focused on writing code for their email system. You’d probably want them to focus on your finances, not building email software from scratch. But the bank needs email to function in a digital world and so it likely outsources that task to a vendor like Microsoft. How do companies choose and monitor those outside vendors? Companies should have procedures for vendor due diligence.
Level Financial Advisors completes a detailed and comprehensive assessment of our technology vendors and third-party vendors with privileged access, both when they are onboarded and annually thereafter. This vendor due diligence ensures these other companies treat client data with the same seriousness and privacy as we do. It helps ensure they are consistently compliant with our cybersecurity policies. Vendors that do not live up to our standards of protection are not allowed to exist in our digital ecosystem.
Cybersecurity Testing
How do you know when something is broken or is working as expected? How do you know that your cybersecurity is effective? The answer is simple. You test it!
Level Financial Advisors regularly completes tests to assess our security. Penetration and vulnerability testing is completed by a trusted objective third-party vendor. Penetration testing involves the vendor attempting to get around or through the security features of our network. They attempt to access the firm’s data or network controls. Vulnerability Testing involves the vendor attempting to identify, evaluate, and assign severity levels to security issues.
Additionally, our company regularly checks our ability to retrieve and restore data from backups. This includes a full restoration of its server system to ensure the process is fully capable of disaster recovery.
Our backup systems also allow us to protect against ransomware attacks; we have the immediately ability to go back to a full restore of our systems at any point in time and eliminate any potential locks on our system. Likewise, this same system protects us against catastrophic failure of our internal hardware and systems. In the event of a disaster (a fire that destroys our building for example) we have the ability to spin up our servers remotely from any location in the world.
Access Controls
My first task when I bought my house was to have a locksmith come out and rekey all the locks. Keys give you access to many things in your life like your home, your car, or your safe. Who has access to your keys? Not just the physical keys that give you access but also the metaphorical keys to your data. Companies should have policies and procedures to limit access to your data.
Internally Level Financial Advisors has dozens of policies and procedures that limit access and permission levels to the employees who need access as part of their job duties. Level periodically reviews those levels of access and access privileges to provide continued oversight.
When an employee leaves Level or a vendor contract is terminated, we have procedures in place to remove access privileges immediately to any sensitive information physically or electronically. Additionally, we have processes in place to remote wipe devices of company data, so if a laptop or mobile device is lost or stolen it can be secured even without physical access.
Virtually, Level Financial Advisors maintains a segmented network. Only approved devices are allowed on the internal network. All other devices utilize the guest network. We enforce the use of a VPN when accessing the network from outside the physical office locations.
Access controls are not just for electronic data. Level Financial Advisors also considers the physical security of data. Level utilizes motion sensors, entry alarms, layers of locks to restrict access to the physical office environment. One of our policies includes a clean desk rule where we require sensitive data to be locked behind additional security when not in use.
Even our employee areas are secured with FOB technology, so only authorized individuals can enter secure areas where customer data could be present.
Device Health
It’s generally a good idea to visit your doctor for a checkup at least annually to maintain your health. Similarly, computers and other electronic devices need regular checkups to ensure the continued health of the device.
Level Financial Advisors requires all computers to have approved antivirus and monitoring software installed. Through this software we control what software is installed, push regular software and system updates, and monitor the condition of the device. We are alerted to unusual activity on our network and devices, can block software from acting outside predetermined thresholds, and prevent the use of removable media.
To maintain device health and prevent unauthorized access Level Financial Advisors requires strong, encrypted passwords and enforces this with the use of an approved password manager. All computers deployed by the company have layers of encryption and passwords including encrypted hard drives. We also utilize Multifactor Authentication and IP whitelisting, which limits access to data to specific approved IP addresses.
Part of these processes include upgrading and replacing devices as they age out of warranty and no longer operate at acceptable efficiency. Level Financial Advisors has a process in place for protecting any data that might remain on the device. We utilize a vendor who certifies the secure destruction of retired hard drives.
Staff Training, Monitoring, & Enforcement
What is the biggest risk to cybersecurity?
The first thought of most cybersecurity experts would be “People”. Any cybersecurity program is only as strong as its weakest link. Unfortunately, history has proven that “hacking” the human component is the easiest and most common way for cybercriminals to gain access. Many company cybersecurity breaches start with the seemingly innocuous action of clicking on a link or opening an email attachment.
While employees can be an area of vulnerability for a cybersecurity program, experienced, aware employees are often the first line of defense to prevent a cybersecurity breach. Employees can act as a kind of human firewall. When they know what to look for, are alert, and know how to appropriately respond, employees can stop cybersecurity incidents before they become a full-blown breach.
Level Financial Advisors conducts extensive cybersecurity training with all employees, both when they are hired as part of new employee orientation and through monthly refresher courses thereafter. We regularly train our employees on cybersecurity topics including but not limited to phishing, business email compromise, social engineering, data privacy, customer identification protocol, anti-money laundering, handling sensitive information, password health, AI, disaster preparedness, common and emerging threats.
In addition to the required training, Level Financial Advisors also completes regular tests and reviews to ensure our training is effective and our policies and procedures are being followed. We complete monthly phishing and callback phishing tests on every employee. On a monthly basis we review emails flagging keywords and looking for data sent to personal emails. We review laptops for device health, updates, and proper use. We also review software activity for logins and data use. We annually review employee access levels in critical software.
Client Identification Protocol
Have you ever reached out to our firm to request money? Maybe you recognize the voices of our employees, you’ve spoken to them so often. Maybe you inquire about their kids, or they ask about your most recent vacation. We know you. You know us.
Client Identification Protocol is the set of procedures a company uses to verify the identity of our clients. Maybe we asked you to confirm some piece of information, an account number or a social security number. If you emailed your request for funds, you would have received a phone call on a known number from one of our employees to verbally confirm the request. Part of Level Financial Advisors’ CIP process involves verbally confirming any emailed requests for funds to combat fraudulent requests.
As the use of technology has increased, cybercriminals have started using AI to accelerate their skills. Cybercriminals can now convincingly use A.I. to mimic voices, speech patterns, and even faces on video to the point that people’s own family members have been fooled.
Many companies, Level Financial Advisors included, are researching ways to add additional layers of security to combat the use of AI in cybercrimes. In the coming months Level Financial Advisors will be adding new features to our Client Identification Protocol including the use of multifactor authentication for most money movement requests. Our clients should stay tuned for more information about this upcoming improvement.
Level Financial Advisors, Inc., including its owners and employees, is committed to the highest level of security when it comes to the protection of our client’s data. Our company is committed not only to all statutory and regulatory obligations regarding cyber threats but endeavors to create a culture of cybersecurity that goes above and beyond those regulations.
If you have any questions about our cybersecurity program or anything else discussed in this article, please do not hesitate to reach out to us.
Bethany Wagner
Chief Compliance & Cybersecurity Officer
This article by Level Financial Advisors, Inc. (“Level”) is intended for general information and educational purposes only. No portion of the article serves as the receipt of, or as a substitute for, personalized investment advice from Level or any other investment professional of your choosing. Before acting on any information contained in this article, it may be necessary to consult with the appropriate professionals to receive individualized advice.
Level is neither a law firm nor accounting firm, and no portion of its services should be construed as legal, accounting, or tax advice. No portion of the content should be construed by a client or prospective client as a guarantee that he/she will experience a certain level of results if Level is engaged, or continues to be engaged, to provide investment advisory services.
A copy of Level’s current written disclosure brochure discussing our advisory services and fees is available upon request or at www.levelFA.com.
