• / Free eNewsletters & Magazine
  • / My Account
Home>Practice Management>Practice Builder>Creating a Written Information Security Policy for Small RIAs

Related Content

  1. Videos
  2. Articles
  1. Retirement Prepping for the Fiscal Cliff

    Financial columnist Gail MarksJarvis lays out planning strategies for taxes , Social Security, Medicare, and more, that retirees and pre- retirees should keep in mind amid U.S. budget uncertainty.

  2. 5 Tax-Planning Tips for Retirees

    Morningstar's Christine Benz offers hints for how retirees should approach taxes in regard to portfolio withdrawals, RMD reinvestments, property, health care, and estate planning .

  3. 6 Ways to Curb Taxes in Retirement

    Investors who build tax diversification, get savvy with RMDs, mind state taxes , and avoid the 'tax torpedo' can lighten their tax loads considerably in retirement, says Morningstar's Christine Benz.

  4. A Year-End To-Do List for Investors

    Don't forget to top up tax-advantaged accounts and mind taxes as you rebalance your portfolio and stage your RMDs, says Vanguard's Colleen Jaconetti.

Creating a Written Information Security Policy for Small RIAs

Identifies your risks, prevent security breaches, and make a response plan just in case.

Helen Modly, CFP, CPWA, 04/16/2015

Both FINRA and the SEC have indicated that they expect advisors to have a written policy to address information security, particularly cybersecurity. Follow these three steps to create a policy that identifies your risks, prevents security breaches, and creates a response plan in case something does happen.

If you are not quite sure that the SEC is serious about cybersecurity, just glance through the seven-page list of information requests that was used in their recent cybersecurity sweep exam. Although many of these items are more likely relevant to large broker-dealers than to small one-shop advisory firms, several important items apply to all firms. The SEC has justified its enforcement efforts regarding cybersecurity with Regulation S-P, which created the requirement of all advisors to adopt a written privacy policy to safeguard clients' material, non-public information.

1. Conduct a Security Audit
The logical first step is to conduct an audit of your current security practices and identify the security risks that exist. Start with your front door. Are your offices locked securely when closed? Identify everyone who has keys--including landlords, cleaning crew, employees, and IT consultants. Do you change locks when employees leave the firm? Could someone enter by just breaking a window? Do employees lock up all client data when not in use?

Next, inventory all hardware. Are all servers encrypted and kept locked securely? Do all your computers have up-to-date virus and malware protection? Are you using an encryption program on all desktops and laptops? Are your modems, routers, and switches secure, and do they have up-to-date firmware installed?

Review all allowed access to your client data stored internally and externally. Determine who has access to what data. Do they need that access? Identify all web-based vendors where your client data exists, such as custodians, financial-planning sites, cloud-based portfolio management, or CRM systems. What are their cybersecurity precautions? Do they allow for a two-step authentication process, such as a randomly generated code from a key fob or sent by text to a cell phone? Do they require routine password resets or have personal security questions as a second layer of protection? Is login information blocked immediately when an employee leaves? Do you have a written data-destruction policy for both paper files and electronic media?

If you allow employees to access work email on their smartphones, laptops, or tablets, are they password protected? Can they be remotely wiped if lost or stolen? Do you allow employees to access data when working remotely? Do you require an encrypted connection such as VPN? Do you require employees to use a password manager program to securely sync passwords across all their devices? Do you have a strict password protocol or require randomly generated passwords?

How are client documents protected? Are you using a secure filesharing service or an encrypted client portal, or do you allow documents to be sent by email without encryption? Do you hold regular employee training on cyber risks and responsibilities, especially regarding mobile devices and removable media? If employees have account applications or other client documents with them out of the office, what efforts must they make to keep them secure?

Do clients have online access to their accounts? Can they effect trades or other money movement online? How do your employees verify clients' identities when money movement requests are received via email? By phone? Have there been any incidents of security breach in the past?

Depending upon how you do business, there may be many more areas to examine. For instance, if you use an outside IT vendor, involve them in the audit.

2. Draft a Written Information Security Policy
Once you have completed your audit, document what you examined, what you found, and your plan to remedy any weaknesses. Also document how you plan to test and monitor your plan afterward. This will become the baseline for your Information Security Policy and should be reviewed and updated each year as part of your overall annual compliance review. Document all employee training activities and their content.

3. Draft an Information Security Incident Response
Determine what is to be done in the event of a security breach. At the very least, any incident should be documented to include the nature of the incident, who and what equipment were involved, how the incident was detected, and what was the response of the firm. Also document the steps you will take to prevent a similar incident in the future. Identify who in the firm is responsible for the firm's response.

If clients' personal, non-public information was compromised, do you have a cybercrime insurance policy to help with the costs of notifying clients? Will it cover credit monitoring services for a year or two? Will it cover credit repair services? If a firm employee or ex-employee was involved, will the firm have coverage for any financial liability to clients?

Our online activity increases daily, and so does our exposure to the risk of unauthorized access to personal data. You will sleep better having addressed these issues. Your clients will appreciate your concern and efforts to protect their information. Your regulators are demanding it of you. 

Helen Modly, CFP, CPWA, is President of Focus Wealth Management, Ltd., and a practicing wealth advisor. She is a member of NAPFA and Chair of the board for the National Capital Area chapter of FPA. She can be reached at info@focus-wealth.com.

The author is a freelance contributor to MorningstarAdvisor.com. The views expressed in this article may or may not reflect the views of Morningstar.

blog comments powered by Disqus
Upcoming Events
Conferences
Webinars

©2014 Morningstar Advisor. All right reserved.