Operations Teams and Information Security

Wednesday, October 28, 2009 15:40
Operations Teams and Information Security

I recently had a discussion with a peer in the industry who works as a compliance director at an independent broker dealer. We were analyzing a recent SEC administrative proceeding that sends somewhat of a chilling message to technology managers at independent firms.

The SEC settlement at note fell under the Reg-SP rule of safeguarding customer information. In this case it was an independent broker dealer and RIA with a large universe of independent affiliated representatives. In short - it found the firm liable for having not mandated and enforcing (my emphasis) appropriate security on every computer that had access to its intranet and online trading tools.


This Website Is For Financial Professionals Only

This is a simple scenario to resolve in captive systems or in a business entity where it has complete control over all its locations and infrastructure. However - when you consider the current independent business model - in a simplified view it is an aggregation of numerous business agreeing to follow common procedures and processes. That has not to date included the top level entity's (broker dealer or RIA) ability to control the Internet connection, security software, anti-virus applications, email client and so on, at the affiliated branch level.


This ruling brings that tradition into question. If a dually registered firm can be fined (six-figures in $) for an unsecured workstation at an affiliated branch that resulted in a breach of customer data - then that firm will likely re-think its strategy on how it needs to manage the technology of the businesses that affiliate with it.

Discussing this was not intended to be a "sky is falling moment" - but this peer was also noting that her broker dealer is already in serious discussions for how to assess and design a deployment of an anti-virus security suite to all of its registered representatives and affiliated RIA's - and modifying its technology fee appropriately.

My goal in recapping this discussion and issue was to refocus Operations teams toward adding a year-end internal audit of their procedures for managing customer information. There are several steps that can be taken.

  • Review your internal policies and procedures for handling if all customer information - both electronically stored and in paper format
  • Document who has access to which information, and in what formats
  • Determine and document how information leaves your office - i.e. over Internet or private electronic connections, fax, email, paper in hand, thumb drives - and look for areas of weakness.
  • As an amplification of the point above - do not send confidential customer information via email unless it is encrypted or over a secure email connection (account numbers, tax ids, health and medical data, etc.)
  • Review every computer under your control and insure it has professional security software that guards against viruses, malware and related malicious programs and more importantly make certain it is configured to auto-update
  • Remember - the costs of security seem high until a security incident occurs - where the majority of firms realize the cost of insecurity can be massive and sometimes fatal to both business brand and business finances.

This is just a very brief discussion of a topic that deserves broader coverage. More will follow on strong processes for Operations teams to manage customer information.




Comments (1)

I hate to consider the consequences when a security breach occurs inside the facility of a cloud computing (SaaS) service provider. While web-based and hosted technology tools can help advisors be more efficient and effective with practice management, I think we still don't know how the regulations apply to the safeguarding of private information when that data is hosted by 3rd party cloud service providers.
billwinterberg , October 29, 2009

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.