Category Archives: Information Security
 

SEC Provides Guidance on How to Respond to Cybersecurity/Identity Theft Incident

September 28, 2015

The U.S. Securities and Exchange Commission (SEC) continues to promote the importance of cybersecurity and protecting confidential investor information. On September 22, 2015 the SEC’s Office of Investor Education and Advocacy issued an Investor Alert regarding investment accounts if they become victims of identity theft or a data breach. This Investor Alert came one week after the SEC issued a Risk Alert on the topic of its Cybersecurity Exam Initiative (September 15, 2015).

Continue Reading

The SEC’s Cybersecurity Enforcement Action and Risk Alert

September 25, 2015

The Securities and Exchange Commission (SEC) had a busy week regarding investment adviser and broker-dealer cybersecurity. On September 15, 2015 the SEC’s Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on the topic of its Cybersecurity Examination Initiative. The Risk Alert provides information on the areas of focus for OCIE’s cybersecurity examination (more on this below). The SEC followed up its Risk Alert with an enforcement action against an investment adviser for a cybersecurity incident. The SEC censured the investment adviser and imposed a fine of $75,000. The SEC found that the investment adviser failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).

Continue Reading

RIAs Should Consider SEC’s Online Security Tips for Investors

April 26, 2015

When cybersecurity is covered in the industry press these days, there often is discussion about its importance but unfortunately a lack of specificity in what steps an investment adviser can take to improve information security and IT practices.  Even the recent cybersecurity exam sweep results of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (“SEC”) are somewhat difficult for investment advisers to interpret and translate into an information security plan; however, the SEC’s Office of Investor Education and Advocacy recently issued a bulletin giving investors tips on protecting their online accounts.  These recommendations to help protect an investor’s online account from fraud appear to RIA Compliance just as applicable to an investment adviser devising its cybersecurity policies and practices.

Continue Reading

Cybersecurity for Investment Advisers

October 28, 2014

In its Examination Priorities for 2014 notice the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) indicated that technology would be one of the most significant initiatives in 2014. This focus on technology will include an assessment on an investment adviser’s cybersecurity preparedness. In April 2014, OCIE issued a National Exam Program Risk Alert to provide additional information regarding its focus on assessing cybersecurity preparedness in the securities industry. The Risk Alert discusses OCIE’s cybersecurity initiative and the registered investment adviser and broker-dealer examinations OCIE is conducting of as part of this initiative that will, at a minimum, focus on the following:

Continue Reading

Top 10 Information Security Best Practices for Registered Investment Advisors

September 27, 2012

RIA Compliance Consultants recently hosted a webinar, Establishing Information Security Programs for Registered Investment Advisors.  During this webinar, our compliance consultant discussed the regulatory requirements for establishing an information security program and then went into a detailed discussion on how a registered investment advisor can establish an information security program that effectively protects its client data.

Continue Reading

Does Your Investment Adviser Have a Written Privacy Policy?

September 05, 2012

As we have previously discussed, Rule 30 of Regulation S-P (“Regulation S-P”) issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information.  For state registered investment advisers, the Federal Trade Commission (“FTC”) has enacted Safeguard Rules which are similar to Regulation S-P and apply to state registered investment advisers.  Additionally some states have enacted their own information security requirements that apply to SEC and state registered investment advisers.

Continue Reading

Understanding Investment Advisers’ Responsibilities Concerning Information Security

August 28, 2012

Investment advisers must protect records that contain certain clients’ non-public, personal information. In efforts to safeguard client records and information, investment advisers should have in place a written information security plan. The main purpose of developing and implementing a strong written information security plan is to make sure that investment advisers have written policies and procedures in place to protect clients’ personal information. Investment advisers’ information security written policies and procedures must be reasonably designed to ensure the security and confidentiality of client records and information and to protect such records and information against any anticipated threats, hazards or unauthorized access or use.

Continue Reading

Does Your Investment Adviser Firm Have a Written Information Security Plan?

August 11, 2011

Based upon the formal and informal expectations of state and federal securities regulators, every investment adviser should consider developing a written information security plan.  Rule 30 of Regulation S-P issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information.  The enforcement of Rule 30 was highlighted by a recent SEC enforcement action against an investment adviser who had their trading system hacked.  A year before the hacking occurred, an internal audit showed that the adviser did not utilize strong passwords.  When the hacking occurred a year later, the investment adviser had taken no action to increase password security.  Thus, the adviser was fined $275,000 for failing to safeguard customer information.

Continue Reading