As we all know, cybersecurity remains a top priority for the SEC and FINRA. Unfortunately, a recent Investment News article would suggest that firms do not take it as seriously, or, at least, firm employees do not.
A recent study of passwords by SplashData demonstrates that advisers and firm employees are not taking to heart their role in the firm’s cybersecurity. The study showed that login passwords still include such impossible ones to decode like “12345” or “password”.
It is hard to believe that in this day advisers do not accept their own responsibility for securing client and firm data. For example, firms should consider multilevel verification for access to client information. Another change would be to have computers lock (requiring a password entry) after a shorter period of time. Although possibly inconvenient, this will better protect firm systems.
It seems to me that this study and article show that something is missing. That something seems to be adequate education and training. How else can you explain anyone using “12345” or “password” as a password?
Quite frankly, time is running out for firms. Your regulators are, no doubt, going to ding you if you have such weak passwords protecting client data. So what should you do?
First, adequately train all staff about the importance of an effective password. Second, make it a firm requirement that passwords be changed every 60 to 90 days. Third, implement multilevel steps to access client data.
You don’t want your clients reading about you being dinged by a regulator for not having adequate passwords. Take action now, and before it is too late.