This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs. You can download our ebook on it at https://ria.tips/ebook.

Risk assessments may be the single most important step to implementing the rule: your entire cybersecurity program will flow out of what your risk assessment turns up.

To assess and understand risks is at the core of a risk assessment. If you can map out your business processes, where your data is, and core technical components and vendors of your business, you can conduct a risk assessment.

This isn’t for the geeks.

While you can’t complete this without your IT department, it isn’t for them. “[The] risk assessment should inform senior officers at the adviser or the fund of the risks specific to the firm and support responses to cybersecurity risks...”

You can ask, “if this system were interrupted or accessed, would it disrupt operations or expose confidential information?”

Here are the steps of a basic risk assessment:

1. Identify: Identify your information systems and the data that you store on them. 

2. Service providers: Identify your critical service providers.

3. Categorize: Categorize your risk. At a high level, this is (a) operational risk and, (b) risk of data loss.

4. Classify: Classify the severity of the risk, either by the potential impact on operations or the amount and sensitivity of the data involved.

5. Prioritize: Prioritize the risks based on the categorization and classification.

6. Review: Review the service providers you identified, check on their internal controls and the contracts you have with them.

7. Plan: Create a business continuity plan (BCP) that outlines how to prevent, mitigate, and respond to an IT outages, and create an incident response plan (IRP), which documents the steps your firm will follow in the event of a cybersecurity incident.

At it's core the risk assessment assesses business risk through the lens of cybersecurity. How do we continue operating if X goes down, or how do we respond if Y gets out or is stolen?

For most RIAs this should not be an intimidating exercise: every competent adviser analyzes, prioritizes and mitigates risks every day for their clients.

This is just in a different arena, but the principles are the same.