• / Free eNewsletters & Magazine
  • / My Account
Home>Practice Management>Practice Builder>Creating a Written Information Security Policy for Small RIAs

Related Content

  1. Videos
  2. Articles
  1. Bogle on Fund Industry Progress and Imperfections

    The Vanguard founder offers his thoughts on the need for money fund reform, the dilemmas with retirement planning and savings, the fiduciary duty of fund managers, and much more, in this video exclusive to Premium Members.

  2. What Goes on Your Retirement Readiness Checklist?

    Those approaching retirement will want to update their personal balance sheet, optimize their spending budget and asset allocation, make a plan for Social Security , and more, says Baird's Tim Steffen.

  3. Traps in Building Wealth for Retirement

    Morningstar's David Blanchett examines how aversion to save while younger, fear of loss, performance-chasing, and high ownership in employer stock are problematic areas for retirement accumulators.

  4. Retirement: 7 Ways to Stack the Deck in Your Favor

    With so many uncertainties facing investors, it just makes sense to give your retirement plan some extra breathing room.

Creating a Written Information Security Policy for Small RIAs

Identifies your risks, prevent security breaches, and make a response plan just in case.

Helen Modly, CFP, CPWA, 04/16/2015

Both FINRA and the SEC have indicated that they expect advisors to have a written policy to address information security, particularly cybersecurity. Follow these three steps to create a policy that identifies your risks, prevents security breaches, and creates a response plan in case something does happen.

If you are not quite sure that the SEC is serious about cybersecurity, just glance through the seven-page list of information requests that was used in their recent cybersecurity sweep exam. Although many of these items are more likely relevant to large broker-dealers than to small one-shop advisory firms, several important items apply to all firms. The SEC has justified its enforcement efforts regarding cybersecurity with Regulation S-P, which created the requirement of all advisors to adopt a written privacy policy to safeguard clients' material, non-public information.

1. Conduct a Security Audit
The logical first step is to conduct an audit of your current security practices and identify the security risks that exist. Start with your front door. Are your offices locked securely when closed? Identify everyone who has keys--including landlords, cleaning crew, employees, and IT consultants. Do you change locks when employees leave the firm? Could someone enter by just breaking a window? Do employees lock up all client data when not in use?

Next, inventory all hardware. Are all servers encrypted and kept locked securely? Do all your computers have up-to-date virus and malware protection? Are you using an encryption program on all desktops and laptops? Are your modems, routers, and switches secure, and do they have up-to-date firmware installed?

Review all allowed access to your client data stored internally and externally. Determine who has access to what data. Do they need that access? Identify all web-based vendors where your client data exists, such as custodians, financial-planning sites, cloud-based portfolio management, or CRM systems. What are their cybersecurity precautions? Do they allow for a two-step authentication process, such as a randomly generated code from a key fob or sent by text to a cell phone? Do they require routine password resets or have personal security questions as a second layer of protection? Is login information blocked immediately when an employee leaves? Do you have a written data-destruction policy for both paper files and electronic media?

If you allow employees to access work email on their smartphones, laptops, or tablets, are they password protected? Can they be remotely wiped if lost or stolen? Do you allow employees to access data when working remotely? Do you require an encrypted connection such as VPN? Do you require employees to use a password manager program to securely sync passwords across all their devices? Do you have a strict password protocol or require randomly generated passwords?

How are client documents protected? Are you using a secure filesharing service or an encrypted client portal, or do you allow documents to be sent by email without encryption? Do you hold regular employee training on cyber risks and responsibilities, especially regarding mobile devices and removable media? If employees have account applications or other client documents with them out of the office, what efforts must they make to keep them secure?

Do clients have online access to their accounts? Can they effect trades or other money movement online? How do your employees verify clients' identities when money movement requests are received via email? By phone? Have there been any incidents of security breach in the past?

Helen Modly, CFP, CPWA, is President of Focus Wealth Management, Ltd., and a practicing wealth advisor. She is a member of NAPFA and Chair of the board for the National Capital Area chapter of FPA. She can be reached at info@focus-wealth.com.

The author is a freelance contributor to MorningstarAdvisor.com. The views expressed in this article may or may not reflect the views of Morningstar.

blog comments powered by Disqus
Upcoming Events
Conferences
Webinars

©2014 Morningstar Advisor. All right reserved.