Skip to content

Employee training may be the best cyber-defense

October is National Cybersecurity Awareness Month, making it a good time for companies, law firms, accounting firms, and other organizations to review their cybersecurity protection.

It’s often said an advisory firm’s employees are the biggest risk to cybersecurity, however, with proper training this doesn’t have to be the case.

Therefore, a firm must institute a program that ensures employees are well aware of their role in protecting the firm’s most sensitive data while keeping up with the newest threats.

Cybersecurity is one of the greatest risks currently facing the financial services industry and a perennial examination priority for the Securities and Exchange Commission. The SEC has prioritized cybersecurity during adviser examinations with an emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.


In general, the SEC and state authorities agree that cybersecurity training must be implemented on a periodic basis.

A policy that contains relevant information, that isn’t too burdensome for the firm or for its representatives, is easily supervised, and is specifically tailored to the firm’s activities, can be the best defense against cyber-crime.

Many midsize and large advisers have instituted large-scale training programs, often online, or have cybersecurity experts visit or present the firm’s employees with information about safeguards and current risks in the advisory space. Often, the online training modules can incorporate the firm’s cybersecurity policies and procedures into real world examples and assessments.

The online training can be assigned multiple times per year and easily modified to capture new risks.

Small firms may approach it differently due to limited resources. Paul Cox, CEO of Business Compliance Partners, a consulting firm that focuses on small-to-midsize firms, said he urges his firms to adopt customized cybersecurity policies and procedures and have each individual employee attest to their understanding. Cox also suggests that firms supplement their written policies with investor alerts, exam priorities, and risk alerts from the various regulatory bodies in order to increase an individual’s awareness of current risks.

Form of delivery aside, a firm’s cybersecurity training must be tailored to specific job functions and designed to encourage responsible employee and vendor behavior. The training must also outline the procedures for responding to certain cyber-incidents. In many cases, the way individuals initially respond to a breach can dictate its overall impact.

As with any training, records are important in order to keep track of completion and attendance, but also to act as evidence of compliance for the SEC.

As for cybersecurity training topics, these will differ based on the firm and its risks. However, most will include the firm’s policies and procedures on physical and software safe-guards, outside risks, and the process for responding to a breach or attempted breach.

Physical & electronic safeguards

The physical and electronic safeguards overlap with many of the day-to-day tasks for advisory personnel. Therefore, it’s very important to cover these activities to better help mold these processes with data protection in mind.

The firm may choose to highlight its process for accessing the building, use and prohibitions concerning the areas storing confidential information, shredding policy, and strategies for the use of confidential information during the business day. The policy concerning the use and mandatory resets of passwords and the activation of the lock-out feature on devices (i.e., laptops) that access company information is also necessary.

Lastly, a training program may also cover the restrictions and control policies for mobile devices that are connected to the firm’s systems, such as passwords and software that encrypts communications.

Outside risks

The risks to cybersecurity often come from the outside. An employee must understand their role in protecting the company from these attacks when accessing the firm’s confidential information. Employees must be aware of the policies concerning proper anti-virus software, firewalls, and the risks associated with the use of outside networks.

In 2019, regulators warned of phishing scams. Phishing may be one of the biggest risks to an advisory or brokerage firm’s cybersecurity program. The practice involves a criminal sending an email that appears to be from a legitimate company, asking for an employee to provide sensitive information or click on a link to a website subjecting the firm to a virus and subsequent breach.

Therefore, a representative training program for investment advisers must include the defense against phishing emails. The training must describe signs or red flags that representatives can recognize before the phishing email is activated.

These red flags may include:

  • An email that does not use the individual’s name. For example, if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name;
  • An email in which the sender’s email in the header does not match the display name;
  • An email with an unfamiliar email attachment or one requesting it to be opened before further information is released; and
  • An email that is unsolicited or unexpected and contains grammatical or spelling errors, unnecessary capitalization, and poor sentence structure.

Incident response

The process for responding to any cyber-incident may be just as important as the safeguards in place. An individual must be well-trained in how they are expected to respond to any incident. The training program must contain the process or chain of command for the reporting of lost or stolen devices and breaches, whether they are perceived to have any negative implications or not.

Firm employees must also be familiar with the incident response plan that may include elements to control the breach, the firm’s policy for internal communication and notification, and the firm’s investigation and client notification process for the breach.

This article was written by Jason Wallace, a senior editor for Thomson Reuters Regulatory Intelligence.