Based upon the formal and informal expectations of state and federal securities regulators, every investment adviser should consider developing a written information security plan. Rule 30 of Regulation S-P issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information. The enforcement of Rule 30 was highlighted by a recent SEC enforcement action against an investment adviser who had their trading system hacked. A year before the hacking occurred, an internal audit showed that the adviser did not utilize strong passwords. When the hacking occurred a year later, the investment adviser had taken no action to increase password security. Thus, the adviser was fined $275,000 for failing to safeguard customer information.
While state registered investment adviser firms are not subject to Regulation S-P, the Federal Trade Commission (“FTC”) has enacted Safeguard Rules which are similar to Regulation S-P and apply to state registered investment advisers. In addition some states have enacted their own requirements. In 2010, the Commonwealth of Massachusetts enacted detailed and comprehensive laws to prevent client data security breaches. These requirements apply to all investment advisers who have clients who are residents of Massachusetts. Further, the State of Nevada has enacted information encryption laws that apply to all investment advisers located within the state. As legislators and regulators continue to make protecting customer information a priority, investment adviser firms need to enact comprehensive information security plans to remain compliant with regulatory requirements.
Some specific information security safeguards that should be included in any plan are utilizing strong alphanumeric passwords to access firm computers, securing wireless connections and smart phones, encrypting laptops and external hard drives and physically locking client files when they’re not being used. A comprehensive information security plan should also designate an individual to be in charge of information security, identify reasonably foreseeable risks, implement safeguards to control those risks, train employees on how to protect client information, audit whether safeguards have been implemented and are effective, and outline actions to be taken in the event of a security breach.
If your investment adviser needs help developing and implementing a written information security plan or would like help reviewing an existing plan, click here to schedule a time to speak with one of our compliance consultants.