Elevating cybersecurity and privacy resilience for RIAs with Envestnet

1 MIN. READ

Oct 29, 2024

Tech stack customization can significantly boost your firm’s growth and efficiency. By prioritizing both innovation and security, you can ensure sustainable growth while safeguarding you and your firm's reputation.

The importance of robust cybersecurity and privacy cannot be overstated for RIAs, particularly when managing financial assets. For over 25 years, financial advisors and firms have depended on Envestnet’s technology and solutions to help drive business growth and productivity for their clients, transforming the way financial advice is delivered. Our decades long experience has taught us that cybersecurity and privacy are shared responsibilities. Insecure configuration settings, improperly controlled user behavior, and motivated bad actors can all increase the risk of cybersecurity and privacy threats for RIAs.

The good news is that there are established industry best practices that can help to maximize protection of data on the Envestnet wealth management platform, and the teams responsible for defensive capabilities should consider the following best practices.

8 cybersecurity practices to implement in your firm

1. Strengthening security with single sign-on (SSO)

Single sign-on (SSO) allows users to access multiple platforms with one set of login credentials. SSO is an authentication mechanism that both enhances security and simplifies the user experience by reducing the number of passwords that need to be remembered and managed.

It is particularly valuable in environments where employees need to access various tools and platforms, making it easier and more efficient to enforce security policies, manage user permissions, and monitor access. For example, when an employee leaves the firm, all of their access is simply “clicked off” ensuring that they no longer have access to any sensitive data.

In addition to SSO authentication, strong password controls should be in place. The best passwords are long, random, and unique. NIST, or the National Institute of Standards and Technology, publishes periodic cybersecurity guidelines that are closely monitored and leveraged by the cybersecurity community.

2. Conducting regular reviews of access

Access reviews help ensure that only authorized and appropriate users have access to select systems and data. These reviews involve regularly auditing user access rights to verify they are aligned with their current roles and responsibilities. As employees change roles or leave the organization, outdated and otherwise inactive access permissions can accumulate; regular access reviews help identify and revoke unnecessary or excessive permissions. This is also important when it comes to third parties (e.g., sub advising) and administrative roles with inherently elevated privileges. Principles like role-based access, segregation of duties, need to know, and least privilege can go a long way in reducing this risk, as well as licensing costs.

3. Boosting protection with multi-factor authentication (MFA)

MFA adds an extra layer of protection to the authentication process by requiring two or more verification factors, beyond the standard username and password. These typically include something the user knows (like a password), something the user has (like a smartphone or hardware token), or something the user is (like a fingerprint or facial recognition). The importance of MFA lies in its ability to significantly reduce the risk of unauthorized access, even if a user’s password is compromised.

If you haven’t already implemented MFA, there are many leading vendors on the market today that can accommodate your specific business needs.

4. Implementing download restrictions

Download restrictions are aimed at controlling what files and software can be downloaded from the internet or other external sources. Downloads are among the top exploits used by attackers and hackers to gain access to an organization’s networks and systems. Unrestricted downloading can expose an organization to various threats, including malware infections, ransomware attacks, data breaches, and unintentional data leaks. Enforcing download restrictions improves prevention of the introduction of malicious software, unauthorized applications, and potentially harmful files into the organization’s network.

5. Protecting sensitive information with data loss prevention (DLP)

DLP solutions monitor, detect, and block the movement of sensitive information, such as financial records, intellectual property, and personal information, both within and outside an organization’s network. Regardless of whether it is the result of malicious intent, like an insider threat, or simply human error, like an accidental data leak, companies can incur severe financial, legal, and reputational damage when data moves somewhere it should not. Users should always verify content and recipients before sending messages or communications that contain sensitive or personal information.

6. Patching and updating systems regularly

Regular updates and patching help ensure that systems and applications are protected against the latest threats. Updates often include patches that fix security vulnerabilities, improve user functionality, and address bugs that could be exploited by attackers. Failing to keep systems and applications up to date leaves an organization vulnerable to known exploits, which can be particularly dangerous as attackers frequently target outdated and unpatched systems. Organizations can significantly reduce their risk of cyberattacks, maintain compliance with security standards, and improve the ongoing integrity of their IT infrastructure by establishing a disciplined approach to keeping all hardware and software up to date.

7. Training and awareness in cybersecurity

Training and awareness are all about empowering users to recognize and respond appropriately to potential threats. Human error is still one of the leading causes of cybersecurity and privacy breaches, often resulting from phishing attacks or the mishandling of sensitive information. Education can cover a wide variety of topics, commonly including identifying and reporting suspicious emails, avoiding phishing attempts, not oversharing in either professional or personal settings, and practicing good cybersecurity hygiene.

The proliferation of AI and deepfake-powered scams and fraudulent activity is only going to continue, further highlighting the importance of these educational campaigns. Organizations can significantly reduce the risk of otherwise successful cyberattacks by reinforcing a strong foundational understanding of best practices, current threats, and the importance of following cybersecurity and privacy policies.

We strive to be a reliable partner to our clients in this area. Our team promptly sends out alerts when we detect an increase in fraudulent activity that could impact anyone within our ecosystem. In these communications, we’ll clearly outline what we’ve observed, the outcomes, and the associated risks you should be aware of. We’ll also highlight best practices to help your firm proactively address the issue.

8. Understanding privacy principles

Privacy principles provide guidance on how to protect the privacy rights of individuals, ensure personal information is handled responsibly, and provide a framework for regulatory compliance.

The principles themselves cover a wide range of capabilities, and include:

  • Lawfulness, fairness, transparency: handle data in a legal, honest, and clear way.
  • Purpose limitation: collect data only for specific, agreed-upon reasons.
  • Data minimization: only gather data that is truly required.
  • Accuracy: keep data accurate and up to date.
  • Storage limitation: store data only for as long as it is needed.
  • Integrity and confidentiality: keep data secure and protect it from unauthorized access (see the tactical solutions above).
  • Accountability: be able to prove adherence to applicable laws and regulations.

Following these principles leads to better business outcomes and a more fair, transparent, and user-centric experience, enhancing cybersecurity and building trust between individuals and the organization along the way.

Collaborating for cybersecurity

Envestnet continuously strives to enhance the cybersecurity and privacy capabilities of our wealth management platform, but the proactive participation of those organizations that depend on Envestnet technology and solutions is key. By aligning to these best practices, you can significantly reduce the risk of cybersecurity and privacy threats and work to ensure that your data, and that of your clients, remains secure. Together, we can create a safer financial ecosystem.

To discuss specific cybersecurity issues, please speak with your relationship team.

Greg Shields

Written by Greg Shields

Principal Director of Data Privacy, Envestnet

As the Principal Director of Data Privacy at Envestnet, Greg provides consultative guidance on the ever-evolving data privacy landscape. He has over 10 years of experience across Privacy, Cybersecurity, Technology Risk, and IT Audit, and holds multiple certifications, including CISSP, CDPSE, CISA, CRISC, CIPT, and CIPM.

View all posts by Greg Shields

The information, analysis and opinions expressed herein are for informational purposes only and do not necessarily reflect the views of Envestnet. These views reflect the judgment of the author as of the date of writing and are subject to change at any time without notice. Nothing contained in this piece is intended to constitute legal, tax, accounting, securities, or investment advice, nor an opinion regarding the appropriateness of any investment, nor a solicitation of any type.

 

20241022-3962599

 

FOR INVESTMENT PROFESSIONAL USE ONLY ©2024 Envestnet. All rights reserved.