SEC Provides Guidance on How to Respond to Cybersecurity/Identity Theft Incident

September 28, 2015

The U.S. Securities and Exchange Commission (SEC) continues to promote the importance of cybersecurity and protecting confidential investor information. On September 22, 2015 the SEC’s Office of Investor Education and Advocacy issued an Investor Alert regarding investment accounts if they become victims of identity theft or a data breach. This Investor Alert came one week after the SEC issued a Risk Alert on the topic of its Cybersecurity Exam Initiative (September 15, 2015).

Though the SEC’s Investor Alert is intended for individual investors who experience identity theft or whose confidential information has been compromised, investment adviser firms should take note of its content and suggestions as they provide ideas for best practices in response to compromised client information.

According to the Gramm-Leach-Bliley Act and Regulation S-P, investment advisers have an obligation to safeguard their client’s records and information. These regulations require investment advisers to take appropriate measures to protect customer information and to protect against identity theft.

If identity theft or a breach of client information occurs the SEC’s Investor Alert recommends that an investor should:

Contact his or her investment firm and other financial institutions immediately.  As an investment adviser you should encourage your client to contact other financial institutions where he or she holds an account.

Change his or her online account passwords.  Immediately change the password for any investment or financial account associated with the compromised personal financial information.  Investment advisers should change the client’s account password at its firm and encourage the client to change his or her passwords at other financial institutions.

Close compromised accounts.  The victim should consult his or her investment firm about the best way to handle closing an account, if he or she chooses to do so. As an investment adviser you should close the compromised account.

Activate two-step verification.  As an investment adviser you should offer a two-step verification process for gaining access to client’s online accounts.  With a two-step verification process, each time anyone attempts to log into your account through an unrecognized device (i.e., a device you have not previously authorized on the account), the investment firm sends a unique code to either the client’s e-mail or cell phone.  Before anyone can gain access to the account, they must enter this code and the password.  Activating this added layer of security may help reduce the risk of unauthorized access to client accounts by identity thieves.

Place a fraud alert on his or her credit file.  Placing an initial fraud alert in a credit file provides notice to potential creditors (e.g., banks and credit card companies) that an individual may have been a victim of fraud or identity theft and will help reduce the risk that an identity thief can use the compromised personal financial information to open new accounts. As an investment adviser you should recommend the client place a fraud alert on credit file with credit bureaus.

Create an Identity Theft Report, which helps the victim deal with reporting companies, debt collectors, and businesses that opened accounts in the victim’s name.  As an investment adviser you should recommend the client creates an identity theft report at the Federal Trade Commission and contact local police department to file a police report. See www.identitytheft.gov for additional details.

Although we are not information security experts, RIA Compliance Consultants has identified some best practices that an investment adviser can discuss with its IT staff and information security consultants. Purchase our Cybersecurity Package, which includes a cybersecurity best practices checklist and access to our webinar Cybersecurity for Investment Advisers. You can also purchase our webinar Identity Theft & Third Party Wire and Check Fraud by clicking here. We also have an annual review tool with questions regarding best practices for cybersecurity, which could help investment advisers and their IT staff and information security consultants. If you would like more information regarding these or any of our compliance support services, contact your consultant if you are an existing client or click here to schedule a time to speak with one of our consultants if you have not previously worked with RIA Compliance Consultants.

Posted by Bryan Hill
Labels: Cyber Security, Cybersecurity, Identity Theft, Information Security, SEC