Do you think your BD, RIA, or cloud is protecting your clients?
Not a day goes by where I don't hear some form of the statement: "My BD/RIA/Cloud Storage Provider/Custodian/Landlord/girlfriend provides all of our cybersecurity needs."
Unfortunately, many firms are mislead with statements from these providers and they believe their clients are protected.
You can ask yourself these two simple questions to know if you are fully protecting your clients and meeting your compliance obligations:
1. Do they send you the audit reports each time they do a vulnerability scan? If the SEC or FINRA comes knocking, you are expected to have the documentation ready. Curious what documentation they request? Read here.
As the old saying goes, "If it isn't documented, it didn't happen."
2. Does your service provider scan your local network for vulnerabilities and provide a vulnerability assessment report at least annually? I didn't think so. If they aren't providing these scans, how do you expect to produce the documentation needed for an exam?
This quick video describes why you might not be protected like you thought you were.