Written by: Brendan Furey
What you need to know
When seeking to act in their client’s best interest, registered investment advisors collect private information from their clients. This information forms the basis for the advice they will provide to their client, whether through consultation or discretionary investment management. Understandably, the advisor is in continuous possession of private client information while servicing a particular client, investor, or related participant.
Section 30(a) of Regulation S-P under the Gramm-Leach-Bliley Act of 1999 requires advisors (along with broker-dealers and investment companies) to adopt policies and procedures that create administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must must be reasonably designed to:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC has said that an RIA’s policies and procedures must include how advisors conduct periodic risk assessments, implement a firewall, encrypt private client information stored electronically, and maintain a response plan for cybersecurity incidents. Advisors are expected to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.1.
Why You Should Care
Identify theft, cyber fraud and high profile security breaches have become common occurrences, especially among commercial merchants and asset managers. Previously, we covered common misperceptions that sometimes stop advisors from properly protecting advisory clients from cyber threats. Since then, the SEC Office of Compliance Inspections and Examinations (“OCIE”) published a series of Risk Alerts announcing a priority for examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.
The focus of the OCIE during exams will be on the following areas:
- Governance and Risk Assessment, including the level of communication to, and involvement of, senior management and boards of directors.
- Access Rights and Controls, including a review of controls associated with remote access, customer logins, passwords, protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention, including how advisors verify the authenticity of a customer request to transfer funds.
- Vendor Management, including due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- Training, including how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
To ensure that your firm is keeping up with regulatory requirements and industry best practices in this area AdvisorAssist recommends that the CCO:
- Review written policies and procedures to ensure they include:
- Identification of Cybersecurity risks
- Controls in place to detect and mitigate the Cybersecurity risks
- Assessment of points of vulnerability, both operational and technological
- A mechanism to gauge the effectiveness of policies and procedures that protect the your networks and sensitive information
- Descriptions of how you will respond to a breach of security
- Train your employees on cybersecurity policies. The policies must be communicated and enforced by the highest levels of management.
- Document all testing and monitoring of cybersecurity policies.
- Engage an independent third party provider to conduct internal and external vulnerability assessment scans and penetration tests.
AdvisorAssist recently hosted a webinar on this subject: Click here to watch or download the replay.
People Dislike Really Smart Leaders: It’s Quite True!
9 Quick Tips On Including Videos In Your Email Marketing
How to Work With a Narcissist
Roll Over 401(K) to IRA, but Keep Your Job
The Waterfall Effect or the Delicate Art of Alignment
Muni Technicals Weaken, but Relative Performance Holds Steady
What Customer Reaction to GDPR Is Telling Us About Our Data Culture
How to Get Rid of Your Toxic Work Culture
11 Ways the New Tax Law Could Help or Hurt Your Tax Return
4 Powerful Personal Branding Examples that Work
Investing in Life21 hours ago
Storyselling: Six Magic Words Guaranteed to Engage Your Clients
Development21 hours ago
How to Offer More to Your Ideal Clients
Solutions21 hours ago
Top 4 Themes in Impact Investing Right Now
Investments2 days ago
Global Equity Views 4Q 2018
Development2 days ago
How To Deliver Value During Prospect Engagement
Financial Podcasts2 days ago
How to Merge a CPA Firm With a Wealth Management Firm
Learn3 days ago
Millennials and Responsible Investing: Bridging the Generation Gap
Social Selling3 days ago
Is Spending Piles of Money on Marketing Just a Waste?