Does Your Investment Adviser Firm Have a Written Information Security Plan? Hot
Write Review
Rule 30 of Regulation S-P issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information. The enforcement of Rule 30 was highlighted by a recent SEC enforcement action against an investment adviser who had their trading system hacked. A year before the hacking occurred, an internal audit showed that the adviser did not utilize strong passwords. When the hacking occurred a year later, the investment adviser had taken no action to increase password security. Thus, the adviser was fined $275,000 for failing to safeguard customer information.
While state registered investment adviser firms are not subject to Regulation S-P, the Federal Trade Commission (“FTC”) has enacted Safeguard Rules which are similar to Regulation S-P and apply to state registered investment advisers. In addition some states have enacted their own requirements. In 2010, the Commonwealth of Massachusetts enacted detailed and comprehensive laws to prevent client data security breaches. These requirements apply to all investment advisers who have clients who are residents of Massachusetts. Further, the State of Nevada has enacted information encryption laws that apply to all investment advisers located within the state. As legislators and regulators continue to make protecting customer information a priority, investment adviser firms need to enact comprehensive information security plans to remain compliant with regulatory requirements.
Some specific information security safeguards that should be included in any plan are utilizing strong alphanumeric passwords to access firm computers, securing wireless connections and smart phones, encrypting laptops and external hard drives and physically locking client files when they’re not being used. A comprehensive information security plan should also designate an individual to be in charge of information security, identify reasonably foreseeable risks, implement safeguards to control those risks, train employees on how to protect client information, audit whether safeguards have been implemented and are effective, and outline actions to be taken in the event of a security breach.
This Website Is For Financial Professionals Only
- Plain-English Translation Of SEC Official's Speech To RIA CCOs
- RIA Data Security Webinar By Compliance Whiz Chris Winn Receives A 4.7 Rating From Attendees
- 2014 RIA Compliance: 23 Questions From Advisors And Answers
- Questions About ByAllAccounts And When Account Aggregation Of 401(k) Assets Triggers Onerous Custody Rules Become Focus Of Webinar About 2014 SEC Examination Priorities For RIAs
User reviews
There are no user reviews for this listing.