Many financial advisors may be understandably confused about the best strategies to protect against cybercrime – as well as their own regulatory and compliance responsibilities. It may be reassuring to hear, however, that by familiarizing themselves with compliance issues, planners are likely to be taking significant steps towards tackling the actual security threats.
Securities lawyer Daniel Bernstein says that while there really aren’t any specific compliance regulations about cybersecurity, advisors can seek guidance from closely-related rules that are already in place. Bernstein, director of research and development at the regulatory financial consulting firm MarketCounsel, says advisors should look to the SEC’s Regulation S-P, which is aimed at protecting consumer financial information by requiring notice of privacy policies and by preventing the disclosure of personal information to third parties.
The rule also requires broker-dealers and registered advisors to adopt policies that safeguard the security and confidentiality of consumer records and to protect against any anticipated threats or unauthorized access. Bernstein also points planners to the SEC’s “Red Flags Rules,” which require financial institutions to adopt written identity theft policies that include detection and response procedures, as well as periodic updates.
If that still seems a little broad and non-specific, advisors can get more detailed guidance by looking at a “sweep letter” the SEC sent out in April, says planner Bill Winterberg, who is also a technology consultant to financial advisors. An attempt by the commission to gather sample information about cybersecurity, the letter was sent to 50 broker-dealers and independent advisors. “It was six pages of very detailed questions,” says Winterberg.
The document surveyed firms' policies about a wide range of topics, including hardware and software monitoring, network connections, risk assessment plans and types of user access. Through multi-part questions, the letter was aimed at learning about advisors' actual experiences with everything from encryption to denial of service attacks. Winterberg says advisors who didn’t get the letter can learn a lot by posing those questions to themselves, their IT people or security consultants. “What I’ve seen advisors do is to take that letter and reverse engineer it into a policy,” he explains.
Most states have also adopted their own data protection programs, and many of those regulations address cybercrime related issues. “Those regulations are in place regardless of whether you’re SEC or state-registered,” says Bernstein. “It’s for anyone who has a client in that state.” He recommends looking at Massachusetts’ law, which is known for its detail in outlining preventive measures.
It’s usually easier for larger firms, with large IT departments, or even their own security experts, to keep up to date with security issues, but it’s essential that advisories of all sizes do their due diligence. Bernstein says that he sees most non-compliance penalties around regulation S-P when an advisor or broker fails to keep client information secure. Often, the infraction results in a deficiency letter, which isn’t made public, he says, while fines occur more often when client data is actually stolen. The biggest problem occurs when the advisor should have known or could have stopped the theft of a client’s information or money. In addition to legal liability and damaged reputation, advisors are likely to face regulatory penalties. “If you should have known that your client information was at risk, and you didn’t do anything to stop it, they’ll find a rule to fit that into,” says Bernstein.
Paul Hechinger is a New York-based freelance writer.