AdvisorAssist recently hosted a webinar titled "Cybersecurity for RIAs: How Safe are You?" Click here to watch or download the replay.
What you need to know
When seeking to act in their client’s best interest, registered investment advisors collect private information from their clients. This information forms the basis for the advice they will provide to their client, whether through consultation or discretionary investment management. Understandably, the advisor is in continuous possession of private client information while servicing a particular client, investor, or related participant.
Section 30(a) of Regulation S-P under the Gramm-Leach-Bliley Act of 1999 requires advisors (along with broker-dealers and investment companies) to adopt policies and procedures that create administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must must be reasonably designed to:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC has said that an RIA’s policies and procedures must include how advisors conduct periodic risk assessments, implement a firewall, encrypt private client information stored electronically, and maintain a response plan for cybersecurity incidents. Advisors are expected to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.1.
Why You Should Care
Identify theft, cyber fraud and high profile security breaches have become common occurrences, especially among commercial merchants and asset managers. Previously, we covered common misperceptions that sometimes stop advisors from properly protecting advisory clients from cyber threats. Since then, the SEC Office of Compliance Inspections and Examinations (“OCIE”) published a series of Risk Alerts announcing a priority for examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.
The focus of the OCIE during exams will be on the following areas:
- Governance and Risk Assessment, including the level of communication to, and involvement of, senior management and boards of directors.
- Access Rights and Controls, including a review of controls associated with remote access, customer logins, passwords, protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention, including how advisors verify the authenticity of a customer request to transfer funds.
- Vendor Management, including due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- Training, including how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
To ensure that your firm is keeping up with regulatory requirements and industry best practices in this area AdvisorAssist recommends that the CCO:
- Review written policies and procedures to ensure they include:
- Identification of Cybersecurity risks
- Controls in place to detect and mitigate the Cybersecurity risks
- Assessment of points of vulnerability, both operational and technological
- A mechanism to gauge the effectiveness of policies and procedures that protect the your networks and sensitive information
- Descriptions of how you will respond to a breach of security