Most advisors understand that cybersecurity and protecting client data are of paramount importance, yet significant confusion remains as to what specific cybersecurity rules (if any) apply to investment advisors. Additionally, and with the ever-evolving nature of the cybersecurity challenge, many advisors assume that protecting client data and staying compliant require outsourcing these tasks entirely, purchasing expensive tools, or both. While outsourcing and quality cybersecurity tools can certainly be of benefit, advisors would be best served to understand what's required, what's best practice, and what their risks are before tackling the cybersecurity process and compliance.
What Cybersecurity Regulations Apply to Registered Investment Advisors?
Investment advisors must follow the requirements of their specific regulatory body, and for Registered Investment Advisors, this means looking to either the SEC or their state securities division. Yet those searching for a cut-and-dried list of cybersecurity rules and requirements from their regulators are likely to be disappointed. Specifically, the SEC will direct you to Regulation S-P, which requires registered broker/dealers, investment companies, and investment advisors to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Considered alone, this is an extremely vague requirement.