Information Security Penetration Testing Phishing Registered Investment Advisor RIA Social Engineering Vulnerability Assessments

Registered Investment Advisors (RIA’s) – It’s time to invest in Cybersecurity!

This week, Ryan Neal wrote a piece for about how Registered Investment Advisors (RIA) need to step up their game when it comes to taking cybersecurity requirements seriously. Below is a quote, taken directly from the post, The Cybersecurity Problem Requires Human Solutions:

An examination of more than 1,200 investment advisors by the North American Securities Administrators Association uncovered 698 deficiencies, including no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant and a lack of procedures regarding hardware and software updates or upgrades.

These are some concerning findings given the sensitivity of the data and considering the data is tied to some of the wealthiest individuals in the country.

So, what are RIA’s to do? Invest in Cybersecurity! While the term “Invest” may sound expensive, many of the findings noted in the post above can be addressed without breaking the bank.

For starters, the post above references two great educational pieces:

NIST – Small Business Information Security: The Fundamentals

NASAA – Cybersecurity Checklist for Investment Advisors

The next step is to invest to Cybersecurity testing and Rebyc Security can help. We recently put together a program to address The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Examination Initiative.

These examinations focus on key topics such as governance and risk assessments, access rights and controls, data loss prevention, vendor management, training, and incident response. Below, we’ve broken down the requirements and then provided our solution.

How to Comply with the Cybersecurity Examination Initiative:

OCIE Requirement:

Information related to the firm’s penetration testing, any related findings, and remediation efforts taken.

Rebyc Security Solution:

An external penetration test will help identify all your firm’s externally facing resources, which may be exposed to attackers 24/7. Our consultants will assess your firm’s external exposure, provide a detailed report that outlines all related security findings, and in-depth remediation recommendations to help your firm mitigate these findings.

OCIE Requirement:

Information regarding the firm’s vulnerability scans, any related findings, and remediation efforts taken.

Rebyc Security Solution:

An internal vulnerability assessment will scan all internal firm workstations and identify all known vulnerabilities that exist on the firm’s internal network. Additionally, we scan all Microsoft servers and workstations for missing patches, which are typically a main cause of vulnerabilities. Our consultants will provide a detailed report that identify all vulnerabilities on the network and your firm’s current patch management status, as well as in-depth remediation recommendations.

OCIE Requirement:

Information related to monitoring exfiltration and unauthorized distribution of sensitive information outside of the firm through various distribution channels (e.g., email, physical media, hard copy, or web based file transfer programs) and any documentation evidencing this monitoring.

Rebyc Security Solution:

Conducting a phishing test against all your firm’s employees will help assess the firm’s overall risk to external attackers. These tests, if successful, can also be used as a great incident response training exercise as well. Our consultants will deliver a customized phishing attack against your firm’s employees and deliver a detailed report that includes all employees that opened our message, visited our malicious website, and provided our consultants with sensitive information. Our report will also include detailed information on effective user-training strategies to minimize the firm’s exposure.

By combining these services and taking a comprehensive, holistic approach, your firm will have a solid cornerstone to build out the information security program.

If you are an RIA and looking to bolster your cybersecurity position – let’s talk. The key is to get started now. You can email us at or submit a request via our contact page.