Steps BDs and RIAs can take to make their cyber threat response plan more effective.

Its year-end and time once again to review the Cyber-security plan and Incident Response strategy. Certain steps will help make the cyber threat response plan more effective whether you’re drafting the plan for the first time or conducting a review to improve it. 

Importance of an effective incident response strategy

The Cybersecurity Incident Response Plan becomes part of the Cybersecurity policy and outlines steps the firm will take when a risk or threat is discovered. All fund managers, investment firms, and securities brokerages are expected to have this policy in place, as it outlines what the firm is doing to minimize the risk of threats, and how it intends to administer response in the event of a breach. Firms are also expected to fully track and document their response steps, and fully disclose damage done, costs, and recovery procedures.

In order to develop a strong Cybersecurity IRP, an assessment of existing capabilities and threats is needed. SEC’s Office of Compliance Inspections and Examinations (OCIE) tells us what they expect in a sound plan.

OCIE Examiners will focus on and scrutinize areas of; governance and risk assessment, access rights and controls, data loss prevention, vendor and third party management, and incident response. Specifically, examiners will review whether established policies, assigned roles, system assessments, and plans to address events are sound. Examiners are keenly concerned about risk and handling of Personally Identifiable Information (PII).

Develop an Incident Response Team (IRT)

For most firms, containment and investigation of an incident requires a team effort with multiple departments involved. Depending on the size and structure of the firm; employees and service providers are assigned specific tasks to address various types of foreseeable incidents. The IRT leaders take responsibility as first responders and ensure initial tests outlined in the Response Plan are conducted. Therefore, it’s important that team members meet regularly to evaluate testing procedures and threats.

The Plan

Elements of the plan should include a list of critical contacts and resources. Essential contact information and resources should be readily accessible to persons responsible for activating critical resources in response to an incident. Contacts and information included may encompass forensic experts, legal counsel, insurance policy, data breach experts, notification services, press and media contacts.

Data breach experts recommend using an incident risk matrix to categorize risk levels between low, medium, and high. It’s a good policy to define “triggers” in the plan to help determine if an incident should be escalated to the next level. Escalation tends to be a key area where managers and first responders carry a level of uncertainty. For instance, a lost file with a single client or employee record may be medium to low risk. However, such an event could be classified as high risk requiring immediate action if it is a starting point for a greater threat. Triggers and matrices help IRP responders determine whether a threat should be escalated. 

Upon discovery or notification of a threat or attack, log the following information:

•          Name and Contact of person making the notification
•          Date and Time of notification
•          Date and Time Incident occurred (if known)

When investigating the incident, key elements to log include:

•          Source of the attack
•          Systems accessed
•          Information extracted or compromised
•          Security of sensitive client or firm information
•      Notification to Impacted Parties

The standards for notifying victims in the event of a breach can vary. State and federal laws differ, as do regulation governing financial industry sectors. When developing the IRP consider the regulatory standards and add additional layers of notification as deemed necessary. Firms should be aware the window for notification generally starts at the time an incident is first discovered.

Ease workload. Create notification templates covering various situations and make them readily available as part of the IRP. In event of an incident, the templates are used to communicate with clients, employees, service providers, and media relations. Take precaution when considering data security upon sending out communication; ensure the delivery method doesn’t further compromise PII (personally identifiable Information). Also, determine if clients and employees may need additional resources to mend damage.

Documentation and Regulation

The SEC will ask for documentation about incidents including losses incurred, cost of mitigation, along with circumstances and facts. The effectiveness of the IRP includes how well the documentation stands up under examination. 

Investigators often request various computer data logs and files pertaining to devices impacted and servers compromised. They may also look at employee communication, corrective actions taken, notifications, and the overall response of the IRT (Incident Response Team).

Include in the response; details about containment such as a factual description of the incident, preliminary risk assessment, and monitoring conducted after the incident was contained. 

Cybersecurity incidents are an ever evolving threat where attackers continually find inventive ways to do harm. Prevention is a strong form of protection, but not likely to be a solution in every situation. Preparation in advance gives firms the support plan they need to minimize risk and react swiftly.

To learn more about #cybersecurity #governance, Register for our free webinar December 6, 2016.

RND Resources assists Broker-dealer firms, Fund Managers, and RIAs with cybersecurity #assessment and planning solutions. 

Visit our website for more information, upcoming training events, gap analysis worksheets, and emerging trends in cybersecurity as it pertains to Financial Service firms.  www.finracompliance.com

Rule 2080 - #Expunge disputed records from #Brokercheck

Need to remove false or disputed claims from FINRA #brokercheck ?

Our recent post includes tips to help registered brokers get erroneous claims removed using FINRA #Rule2080 - Expungement

If you’re an advisor with a frivolous customer claim against you, you understand how much harder you now have to work to gain the trust of each and every client.  Some advisors have claims going back years from dropped cases which affect their earnings today. These advisors may find themselves in difficult situations where an investor feeling the sting of past losses tries to get recourse through a nuisance claim. Others investors may ”follow the herd” and assume their investment was mishandled the same as past clients. It’s an uphill battle and a hard one to win.

Whatever hardship past claims may be causing today, there is a solution for advisors that plan ahead and are willing to lose some of their sanity to hang on to their good reputation.

Read more at RND Resources Inc  - 

Compliance Audits and Consulting for Financial Service Businesses and Professionals.

Planning for Success: Startup RIA Tips (Part 1)

RND Resources specializes in assisting startup RIA firms complete the process of submitting an application to the SEC or state registry. Over the years we have seen a number of complications due to lack of understanding of the RIA formaiton process and poor planning.  RIA formation is not a one-size-fits-all business venture. There are a number of considerations investment advisors should address as part of the planning process to save time, conflicts, and expense later on.

 

SEC RIA registrations 2014 (588), 2015 (449)

Start with a Plan

An important step in starting a new RIA is to make a solid analysis of goals. When considering goals a thorough research of the business model, tax planning, custodian relationships, state rules, and more will impact the cost to establish the RIA and decisions down the line. For many investment advisors wanting to start their own RIA the effort involved in dissecting various aspects of formation is beyond their expertise.

Start at the beginning

To balance out the complexity in setting up a new firm, some RIA principals will start with a simple low cost template based solution and assume they will modify it later once they build up capacity. From what we’ve seen, this can create a number of even more complex problems that are not easy to upgrade or change once the firm is already doing business. As an experienced consultant to new RIA firms starting out, we caution against making decisions without fully understanding their impact.

Strategy: Business Model, Product Model, Fee Model

One important aspect of establishing a new RIA firm is complexity of the business model, both now and in the future. There are a number of products and client preferences to work with. Over years demographics change and consumer preferences evolve. For instance, if the plan is to serve younger generations, a Fintech strategy will need to be adopted as part of the business model. However, Fintech firms are in an evolving state where compliance regulation and product offering are constantly being developed. For a new RIA, researching a well thought out Fintech solution now can make the difference later when some Fintech providers will likely fail, or get tangled up in regulatory actions, bad press, or worse.

As another example, many firms want to start with a niche they’re comfortable serving. Matching the value proposition to long term goals is helpful. If a firm is adopting a competitive price strategy, they may decide to partner with a third party money manager rather than hire analysts. This decision is followed with the question of available resources through the partner, technology concerns, and restrictive agreements. There’s many other market segmenting factors as well that have restrictive consequences which are not easily changed.

The best consulting advice helps a newly forming firm winnow down the possibilities with stakeholders while discussing pros and cons of various options. Starting from a foundation that considers future strategy, a new firm can apply resources toward meeting goals now and later.

RND Resources Inc assists new RIA firms with start up and formation strategy

Make decisions with confidence

Investment advisors that take the plunge should do everything possible to ensure that their new business is set up to maximize resources. “We’ve worked with a lot of RIA structures after they were set up and it’s clear that many don’t consider advanced planning strategies”. Some mistakes are costly to fix in terms of adopting changes to procedures and policies, negative exams, and staff training.  Reaching out to an experienced consultant allows new business stakeholders make important decisions with confidence.

For more information check out our Resource Guides 

Resource Guides for Breakaway Brokers and Startup RIAs

RND Resources Inc | Compliance  * Consulting * Audit * Startup & Formation 

Broker-Dealers, RIAs, Private Equity, Family Offices

Action Plan for BDs & RIAs to implement the #DOLFiduciaryRule

Broker-Dealers and Registered Investment Advisor firms are in need of an action plan to implement the DOL Fiduciary Rule change. As any experienced compliance officer can tell you, planning ahead will be key in making a smooth transition to the new standard.  For this reason RND Resources put together a practical plan for small to mid-size BD and RIA firms to understand the DOL rule change and implement steps to meet the new compliance requirement.

The presentation will help BDs and RIAs to understand

• Which products are affected by the DOL Fiduciary Rule of April 2016
• Developing an action plan to get ahead of the DOL change before it is mandatory
• Ways to gain a competitive advantage by implementing the DOL rule change early
• The difference between Level Fee and Non-Level Fee transactions and how to transition commission based products
• Determining when to use Transactional BIC versus Contracted BIC exemptions, and more….

Action Plan for DOL Fiduciary Rule April 2016 from RND Resources Inc

If you’re starting a new BD or RIA, adopting the DOL Fiduciary standard is key to growing your business in the Senior and Retirement investor marketplace. Start out by setting up products and marketing material along with policies and procedures that drive advisers toward retirement related standards. This will help place your new firm ahead of established firms struggling to change.

RND Resources is a compliance consulting firm that assists new firms with formation and registration.  Our professional staff also works with established firms that need on-going compliance support. We are able to generate customized policy and procedure updates so firms can quickly adjust to changes in regulatory requirement and products. We also provide on-going compliance support and report filing services on a monthly, annual, or interim basis. Call us for more information about training staff and implementing policy for the DOL Fiduciary rule change.

Download company brochure

  RND Resources Inc | Los Angeles CA | 818.657.0288 | www.finracompliance.com

Tips to Reduce Audit and Examination Costs for BD's and RIA's

How Broker-Dealer and RIA firms can reduce the cost of  Audits and Examinations

Mid-sized broker dealers struggle to stay on top of audit preparation work. Even with today’s automated accounting technology and regulatory software; compiling data and records for audits is a time consuming task that large companies assign to a task force who monitor audit capabilities year round.  Some firms try to save costs by preparing audit records themselves, but wind up paying more in the end. They’re charged higher audit fees as a result of poorly organized records, incomplete information, and misunderstanding of the auditors’ role. Once the auditor has received the records, it can be anyone’s guess how they will be interpreted and what additional questions may be required.  Firms can benefit from a significant cost savings by outsourcing the audit preparation work to experienced pro’s.

Minimize Risk of Negative Audit Results and Keep Audit Costs Down

An important component in minimizing the risk of negative audit results is to first understand what the role of the auditor is. The auditor is engaged to “render an opinion on whether a company’s financial statements are presented fairly, in all material respects, in accordance with financial reporting”. Firms that don’t recognize this often make the mistake of providing poorly documented information, assuming the auditor will straighten everything out on the go. This costly assumption leaves firms paying hourly audit rates for the auditors staff to properly organize the records before they start on the audit itself.  Having the auditor spend time organizing your records can add up fast.

To form an audit opinion, the auditor “gathers records, observes, tests, compares, and confirms accuracy of data and processes”. Then “the auditor forms an opinion of whether the financial statements are free of material misstatements and if fraud or error exists”. In analyzing records the auditor does not reconcile the accounts and financial statements, but makes a judgment on how well the company has reconciled its financial statements and accounts.  The auditor does not prepare footnotes or financial statement disclosures, but will assess what the company accountant has included in footnotes. The auditor does not maintain records, establish values, locate records, or prepare the entity for the audit. These responsibilities rest solely on the firm being audited. Further, the auditor does not make a recommendation for corrective action plans, rather they identify if corrective action measures should be taken.

A clear picture of what the auditor does and doesn’t do can be found in the PCAOB.org Ethics and Independence Rules for Auditors. The mainstay of auditor independence is that auditors do not take responsibility for records and financial statements on which they form an audit opinion. Responsibility for the financial statements and records lies squarely on the shoulders of the company being audited.

Learn more at the Compliance Roundtable Meeting -  June 14 & 15 2016 in Irvine or downtown Los Angeles

For more tips register for the June 2016 #LosAngeles #compliance and #riskmanagement roundtable meeting. The roundtable discussion meeting is sponsored by RND Resources Inc, compliance, audit, and regulatory support services firm located in Woodland Hills California. RND Resources has been serving broker-dealers and registered investment advisors for over 30 years with audit preparation services and regulatory support. RND Resources also provides regulatory compliance consulting & support for #fintech firms.  The secondary topic we’ll be discussing at the meeting is best practice for reviewing #cybersecurity along with system testing and penetration testing technology.  Sign up on our website at www.finracompliance.com 

Read more about Audit Preparation Support Services available from RND Resources Inc.

CyberSecurity Checklist and Gap Analysis Worksheet

Financial Industry Firms have specialized needs when it comes to developing cyber-security procedures and policies  

Brokerage and Investment Advisor firms hopefully recognize a one-size-fits-all approach to CyberSecurity does not work. Today's firms will need to look beyond their Information Technology personnel and consider their operations in order to establish a comprehensive Cybersecurity procedures and policies manual. Adopting an “ISSP” Information Systems Security Program appropriate to your circumstances and “IRP” Incident Response Plan that your personnel can successfully implement is key to prevention, detection, and recovery.

National Futures Association | CyberSecurity - Interpretive Notice  ¶9070

The firm must develop and maintain a written ISSP for securing customer data and access to their electronic systems, which should be maintained with the rest of the firm’s written procedures. Although the firm is not required to have a separate single document describing every aspect of its ISSP, a comprehensive written policy may be the best way to ensure that firm personnel know what the firm’s policy is, depending upon the firm's size and complexity of business and technological operations.

RND Resources recognizes the significant challenges and risks that investment securities dealers and advisors face in protecting sensitive client and company data as well as proprietary trade system information. Developing a plan consistent with your own firms operations is an important first step. The checklist we created will help you get started on the comprehensive ISSP and IRP. If you have any questions or prefer to have one of our professionals help get you started on a cyber-security program, please feel free to reach out to us at (818) 657-0288.

CYBER-SECURITY CHECKLIST WITH GAP ANALYSIS AND CYBER INSURANCE COMPARISON WORKSHEET

Click the link here to download RND Resources Inc Cybersecurity Checklist. The checklist will help you evaluate what your firm needs to conduct a thorough cybersecurity evaluation and develop the regulatory required “ISSP” Information Systems Security Program and “IRP” Incident Response Plan. Our checklist enables you to;

• Identify potential threats and risk gaps
• Rank the threat value of risk gaps
• Match gaps to sections of the CyberSecurity Compliance Procedure manual
• Assign tasks to team members
• Record completion estimates and due dates
• Maintain notes all throughout the process

BONUS: Cyber Insurance Comparison Worksheet

We’ve also included our Cyber Insurance comparison worksheet that will help you compare policy coverage limits and policy riders across carriers, as well as rank premium prices; all to help determine which policy best fits your firms level of risk and risk tolerance

Need Assistance?

Need help with Technical changes to your system or Penetration testing? We have the tools and expertise to; Conduct a quick-hit assessment of your Information System; Provide a high-level assessment report and; Develop the ISSP and IRP for regulatory compliance.  Call us for more information (818) 657-0288, or Complete the form on our website 

Tips to Developing #FintechStrategy for Investment Firms

Start-up technology ventures are exploiting Financial Services with a flurry of Fintech firms posing a threat to big banks. Broker-dealer firms, RIA’s, and wealth fund managers are feeling it too.

The staying power of Fintech Firms

Emerging Fin-tech firms are faster at innovation and willing to accept low margins as a cost of entry to the market. They have also benefited from slow-to-react regulatory authorities blinded by the word technology even as many cross over into risk based financial dealings. One strategy of Fintech’s is to offer niche solutions to customers; such as mobile bill payment solutions, peer-to-peer lending, and digital currency. As their subscriber base grows, they offer more and more services, pulling clients away from banks and traditional investment firms and into a fold of multi-layered solutions.

Some say Fintech firms will pull back when regulators catch up and start mandating oversight with examinations, monthly reports, and minimum net capital requirements. More likely, technology firms will come up with innovative technology and reporting features to satisfy regulator cries for control.  As a compliance consulting firm, we’re seeing an influx of #regtech solutions (also called regulatory technology) for compliance and audit management.

FINRA release: March 2016  Report on Digital Investments Advice

Office of Comptroller of the Currency release: April 2016   Responsible Innovation for Federal Banking System   

As emerging trends gain ground, regulators have taken note by releasing a series of recommendations and white papers about the Fintech surge, urging sound risk management and investor protection standards. Why are Fintech firms able to evolve and grow so fast? Economies of limited scope and awesome technical resources are one good reason. Here's more - 

• Private investors and non-public, pre IPO entities give leaders more control
• Limited focus on only one or two good ideas, for now…
• Specialized workforce with technical skill and experience in emerging technology
• Starting with new technology and platforms rather than adding on top of slower legacy platforms and procedures

How Investment & Brokerage firms get involved with Fintech Solutions

Securities firm executives are asking themselves how can I get on board with a Fintech strategy that captures the new breed of market share who doesn’t care if they ever talk to a human being at my firm, wants real-time data, and access to their account everywhere they go.

Get started with your own #FintechStrategy  

Determine a goal. Firms first need to decide on a strategy and then discuss action to implement a Fintech business plan. A team should collectively decide the role technology will take such as;

• Reduce overhead costs – (i.e. replace an employee with technology)
• Drive revenue – (i.e. pay per transaction service)
• Add Value, Client Retention  – (i.e. convenience services; mobile stock alerts, text transactions)

Research Fintech business models. Consumers receive value from all kinds of technological advances including; the internet of things, mobile access to the web. They expect access to real-time data, and efficient on the go solutions. Many prefer talking to machines as opposed to people. There’s a variety of Fintech sector firms that securities businesses are suited to launch or participate in. Here's a few examples - 

• Retail Investments – Sigfig, Wealthfront, FutureAdvisor
• Institutional Investments – Stocktwits, SumZero, HedgeSPA
• Financial Research – Stocktagon, Q
• Consumer Banking – Gobank, Simple
• Business Tools – Zen Payroll, Xero Accounting
• Online Lending – Orchard Bank, Lending Club, Prosper
• Personal Finance – HelloWallet, BillGuard, CreditKarma
• Payments – Paypal, Wepay, Stripe
• Equity Financing – Seedinvest, EquityNet

Firms may also choose a less involved strategy like purchasing or investing in a Fintech firm by way of crowd-funding or a strategic partnership. Large banks and technology companies are already doing this. For instance, Google Ventures is heavily invested in the automated robo-advisor service “Robinhood”, while Goldman Sachs is backing “Motif-Investing”. One advantage to this strategy is the technology skill set is already in place.

Understand your target customer. Client investors these days are looking more and more for firms they can engage with. Consumers want real-time insight and advice. They’re highly mobile, active on social media, and enjoy participation in peer-to-peer structures. 

In looking at your Fintech plan, think in terms of what you’re capabilities are today and where you would like them to be in the future. From there, draft out a strategy to reach this goal. Consider that the differentiation between Fintech firm types is blurred. Many services cross-over into other unanticipated uses. Anticipate the unexpected.  For instance, smarter, faster trade solutions can lead to clients wanting simpler ways to raise money for investing, or access to simulated investment training, or even virtual reality trade exchanges. Online wealth portfolio management services can lead to a need for integrated banking solutions and on demand mobile money platforms. 

Take a look at your target market and anticipate what future needs will be or what needs are not being filled today. Develop a vision for your future business model that relies on new revenue drivers. Ask yourself what role technology can play in the business model. 

From there move forward to elements of the Fintech business model considering; budget and cost structure, revenue stream, and changes in overhead or organizational structure. With these elements in place, teams can decide if they want to build or enhance systems already in place, or invest in a Fintech firm. Some firms can develop a strategic partnership to launch their idea.

The best ideas will usually include; cloud computing capability, client pay-as-you-go services, or strategic vendor relationships.

RND Resources Inc is a compliance and audit consulting firm to the securities industry. We provide scaleable, integrated solutions for risk management and compliance. Visit our website for more details www.finracompliance.com/services  

We assist securities firms with a suite of regulatory compliance support programs;

• FINRA New Member or Change applications: NMA, CMA FINRA applications

• Financial Reporting & FinOps: FOCUS filing and related schedules, Annual Assessment reports

• Compliance Services: Procedures & Policies WSP, Advertising review, Annual Compliance Reviews, Outsourced CCO Principal Service

• Audit Services: FINRA regulatory examinations, Certified BD Audits, Custody Audit, AML review, Custody Exams

• FINRA Notice, Sanction, Complaints & Arbitration: Respond to regulatory notices, Customer complaint filings, Forensic Accounting, Expert Witness Service

• Cybersecurity Consulting: Procedure and planning, vendor management, staff training

• Fintech Consulting: Regulatory Compliance Consulting and Support Services for Financial Technology firms; Development and strategy consulting for Fintech entry firms

RND Resources Inc is a proud member of McGladrey Alliance. McGladrey is a leading provider of middle market audit, tax, and consulting services. This strategic membership gives us the competitive advantage of access to audit, technology, research, and tax planning tools. As a full service compliance firm for middle market brokerages and investment advisors, we’ll be able to serve clients with robust solutions and trusted technology platforms. McGladrey Alliance has global capabilities with professionals able to assist from over 100 countries. Visit our website for more details: http://www.finracompliance.com/about-us/mcgladrey-alliance-member/