Whether you are board member, trustee, or a member of senior management responsible the financial/information assets of a retirement, foundation, endowment or other form of eleemosynary organization, you can be held individually liable for a cyber breach in your capacity as a fiduciary of the assets/information entrusted to your organization.
In a recent publication from ZeroFOX titled “Financial Services Digital Threat Report 2019” they reported a 56% year-over-year increase in digital threats targeting the financial space. In their research, ZeroFox “scanned 2.9 billion pieces of content and found more than 8.9 million security events in a 12-month period”.
As fiduciaries turn more and more to cloud based software services, social media, and mobile appliances to communicate with colleagues/ vendors and safely manage the organization’s data, there are more opportunities for bad actors to access your information. Unfortunately, achieving complete cyber security is a “negative goal” meaning that such confidence is unattainable; suffering a security breach is not “if” but “when”.
The standard used by the Centre for Fiduciary Excellence (CEFEX) Analysts for assessing fiduciary risk includes the practice: “Sensitive personal identifying information and assets of clients are prudently protected from theft, embezzlement and business disruption risks”. Following a prudent process may not prevent a security breach, but it can significantly reduce the chances of an occurrence and the costs when one happens.
The fiduciary’s goal, particularly if the organization holds Personally Identifiable Information (PII), is to maintain the security, availability, and integrity of the data.
Some of the best practices we have seen fiduciaries implement include:
Designating a member of the management committee to be the liaison between the chief information security officer and the management committee. That person is supported with online and in person educational opportunities.
Educating all employees on an ongoing basis about cyber security hygiene including being aware of emails that may not be legitimate, not checking on suspicious links in messages, and not responding to requests from vendors for specific information unless approved by management.
Keeping systems up-to-date with the latest versions of all the software used in the firm.
Using strong passwords of at least eight characters that include letters, symbols, and numbers.
Requiring the use of multi-factor authentication for clients, staff, and vendors when accessing secure areas of the firm’s website. The most common form is called “two factor access” or “2FA”. Each time someone tries to access their information, they must use a one-time code generated just for them.
Encrypting all data locally, in the cloud, and in transit. Many providers offer encryption; however, those vendors require access to your keys in order manage the encryption on their end. Providing an additional encryption overlay where the organization controls both encryption keys can greatly reduce exposure. This is called end-to-end encryption.
Using Virtual Private Networks (VPNs) when clients, employees, and vendors access client information while on the road or at home.VPNs provide an encrypted “tunnel” between the user and the firm’s server.
By communicating management’s commitment to cybersecurity, board members, employees, donors, and beneficiaries can sleep at night trusting that their fiduciaries have done their best to maintain the integrity of the organization’s information.