• / Free eNewsletters & Magazine
  • / My Account
Home>Practice Management>Practice Builder>Creating a Written Information Security Policy for Small RIAs

Related Content

  1. Videos
  2. Articles
  1. Why Alternatives Investors Should Target Minimum Allocations

    Van Eck's David Schassler focuses on multialternative strategies for his clients and says any alternative allocation lower than 10% enters into 'why bother?' territory.

  2. Don't Pay Alpha Fees for Beta Performance

    Hedge fund -replicating ETFs and mutual funds can provide investors with similar return characteristics at a much lower cost, says Index IQ's Adam Patti.

  3. Grantham Keynote: Investing in a Slower-Growth World

    The GMO chief strategist highlights the factors behind the market's bullish bias, abnormally high corporate earnings, current valuation levels, a slowdown in productivity, and the great paradigm shift in natural resources.

  4. Going Against the Grain in Hedge Fund Replication

    Ramius' Vikas Kapoor discusses some of the drawbacks of common replication strategies and how his fund strives to avoid them while still providing the liquidity often absent in regular hedge funds .

Creating a Written Information Security Policy for Small RIAs

Identifies your risks, prevent security breaches, and make a response plan just in case.

Helen Modly, CFP, CPWA, 04/16/2015

Both FINRA and the SEC have indicated that they expect advisors to have a written policy to address information security, particularly cybersecurity. Follow these three steps to create a policy that identifies your risks, prevents security breaches, and creates a response plan in case something does happen.

If you are not quite sure that the SEC is serious about cybersecurity, just glance through the seven-page list of information requests that was used in their recent cybersecurity sweep exam. Although many of these items are more likely relevant to large broker-dealers than to small one-shop advisory firms, several important items apply to all firms. The SEC has justified its enforcement efforts regarding cybersecurity with Regulation S-P, which created the requirement of all advisors to adopt a written privacy policy to safeguard clients' material, non-public information.

1. Conduct a Security Audit
The logical first step is to conduct an audit of your current security practices and identify the security risks that exist. Start with your front door. Are your offices locked securely when closed? Identify everyone who has keys--including landlords, cleaning crew, employees, and IT consultants. Do you change locks when employees leave the firm? Could someone enter by just breaking a window? Do employees lock up all client data when not in use?

Next, inventory all hardware. Are all servers encrypted and kept locked securely? Do all your computers have up-to-date virus and malware protection? Are you using an encryption program on all desktops and laptops? Are your modems, routers, and switches secure, and do they have up-to-date firmware installed?

Review all allowed access to your client data stored internally and externally. Determine who has access to what data. Do they need that access? Identify all web-based vendors where your client data exists, such as custodians, financial-planning sites, cloud-based portfolio management, or CRM systems. What are their cybersecurity precautions? Do they allow for a two-step authentication process, such as a randomly generated code from a key fob or sent by text to a cell phone? Do they require routine password resets or have personal security questions as a second layer of protection? Is login information blocked immediately when an employee leaves? Do you have a written data-destruction policy for both paper files and electronic media?

If you allow employees to access work email on their smartphones, laptops, or tablets, are they password protected? Can they be remotely wiped if lost or stolen? Do you allow employees to access data when working remotely? Do you require an encrypted connection such as VPN? Do you require employees to use a password manager program to securely sync passwords across all their devices? Do you have a strict password protocol or require randomly generated passwords?

How are client documents protected? Are you using a secure filesharing service or an encrypted client portal, or do you allow documents to be sent by email without encryption? Do you hold regular employee training on cyber risks and responsibilities, especially regarding mobile devices and removable media? If employees have account applications or other client documents with them out of the office, what efforts must they make to keep them secure?

Do clients have online access to their accounts? Can they effect trades or other money movement online? How do your employees verify clients' identities when money movement requests are received via email? By phone? Have there been any incidents of security breach in the past?

Helen Modly, CFP, CPWA, is President of Focus Wealth Management, Ltd., and a practicing wealth advisor. She is a member of NAPFA and Chair of the board for the National Capital Area chapter of FPA. She can be reached at info@focus-wealth.com.

The author is a freelance contributor to MorningstarAdvisor.com. The views expressed in this article may or may not reflect the views of Morningstar.

blog comments powered by Disqus
Upcoming Events
Conferences
Webinars

©2014 Morningstar Advisor. All right reserved.