Written by: Brendan Furey
What you need to know
When seeking to act in their client’s best interest, registered investment advisors collect private information from their clients. This information forms the basis for the advice they will provide to their client, whether through consultation or discretionary investment management. Understandably, the advisor is in continuous possession of private client information while servicing a particular client, investor, or related participant.
Section 30(a) of Regulation S-P under the Gramm-Leach-Bliley Act of 1999 requires advisors (along with broker-dealers and investment companies) to adopt policies and procedures that create administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must must be reasonably designed to:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC has said that an RIA’s policies and procedures must include how advisors conduct periodic risk assessments, implement a firewall, encrypt private client information stored electronically, and maintain a response plan for cybersecurity incidents. Advisors are expected to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.1.
Why You Should Care
Identify theft, cyber fraud and high profile security breaches have become common occurrences, especially among commercial merchants and asset managers. Previously, we covered common misperceptions that sometimes stop advisors from properly protecting advisory clients from cyber threats. Since then, the SEC Office of Compliance Inspections and Examinations (“OCIE”) published a series of Risk Alerts announcing a priority for examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.
The focus of the OCIE during exams will be on the following areas:
- Governance and Risk Assessment, including the level of communication to, and involvement of, senior management and boards of directors.
- Access Rights and Controls, including a review of controls associated with remote access, customer logins, passwords, protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention, including how advisors verify the authenticity of a customer request to transfer funds.
- Vendor Management, including due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- Training, including how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
To ensure that your firm is keeping up with regulatory requirements and industry best practices in this area AdvisorAssist recommends that the CCO:
- Review written policies and procedures to ensure they include:
- Identification of Cybersecurity risks
- Controls in place to detect and mitigate the Cybersecurity risks
- Assessment of points of vulnerability, both operational and technological
- A mechanism to gauge the effectiveness of policies and procedures that protect the your networks and sensitive information
- Descriptions of how you will respond to a breach of security
- Train your employees on cybersecurity policies. The policies must be communicated and enforced by the highest levels of management.
- Document all testing and monitoring of cybersecurity policies.
- Engage an independent third party provider to conduct internal and external vulnerability assessment scans and penetration tests.
AdvisorAssist recently hosted a webinar on this subject: Click here to watch or download the replay.
Use Hackathons to Go from Zero to Business Impact in a Week
Homer Simpson vs Mr. Burns
7 Ways to Effectively Lead a Team on Different Schedules
6 Things NOT to Do with Gatekeepers
How to Close Skill Gaps During Tech Disruption
How Do YOU Find Happiness at Work?
6 Ways to Marie Kondo Your Sales Process
Estate Planning in Second Marriages
Why Companies Should Focus on Employee Health
Retirement Medical Costs Not So Scary When Seen Yearly
Advisor2 hours ago
Homer Simpson vs Mr. Burns
Insights12 hours ago
Europe: The Good, the Bad and the Ugly
Markets12 hours ago
The Mad March Bounce
Development12 hours ago
Persevering Through Daily Mundane Is the Quickest Path to Success
Markets1 day ago
What’s Causing Investors to Come off of the Sidelines?
Sales Strategy1 day ago
7 Key Components When Selling to the C-Suite
Equities2 days ago
Should We break-up Facebook, Google, Amazon, Apple?
Global2 days ago
Don’t Be Fooled by the Politics of Envy