Operations Teams and Information Security

This is a simple scenario to resolve in captive systems or in a business entity where it has complete control over all its locations and infrastructure. However - when you consider the current independent business model - in a simplified view it is an aggregation of numerous business agreeing to follow common procedures and processes. That has not to date included the top level entity's (broker dealer or RIA) ability to control the Internet connection, security software, anti-virus applications, email client and so on, at the affiliated branch level.

 

This ruling brings that tradition into question. If a dually registered firm can be fined (six-figures in $) for an unsecured workstation at an affiliated branch that resulted in a breach of customer data - then that firm will likely re-think its strategy on how it needs to manage the technology of the businesses that affiliate with it.

Discussing this was not intended to be a "sky is falling moment" - but this peer was also noting that her broker dealer is already in serious discussions for how to assess and design a deployment of an anti-virus security suite to all of its registered representatives and affiliated RIA's - and modifying its technology fee appropriately.

My goal in recapping this discussion and issue was to refocus Operations teams toward adding a year-end internal audit of their procedures for managing customer information. There are several steps that can be taken.

  • Review your internal policies and procedures for handling if all customer information - both electronically stored and in paper format
  • Document who has access to which information, and in what formats
  • Determine and document how information leaves your office - i.e. over Internet or private electronic connections, fax, email, paper in hand, thumb drives - and look for areas of weakness.
  • As an amplification of the point above - do not send confidential customer information via email unless it is encrypted or over a secure email connection (account numbers, tax ids, health and medical data, etc.)
  • Review every computer under your control and insure it has professional security software that guards against viruses, malware and related malicious programs and more importantly make certain it is configured to auto-update
  • Remember - the costs of security seem high until a security incident occurs - where the majority of firms realize the cost of insecurity can be massive and sometimes fatal to both business brand and business finances.

This is just a very brief discussion of a topic that deserves broader coverage. More will follow on strong processes for Operations teams to manage customer information.

 

 

 

This Website Is For Financial Professionals Only