RIA Compliance and Practice Management Blog

RIA Cybersecurity Best Practices: Encryption

Posted by RIA in a Box

Sep 12, 2019 2:08:53 PM

Cybersecurity encryption best practices for RIA FirmsEncryption is a method of protecting sensitive information from access from unauthorized third parties while the data is “in transit” (e.g. via email) or “at rest” (e.g. stored on a laptop computer’s hard drive).

As it relates to encryption, registered investment adviser (“RIA”) firms are unlikely to find any state or federal regulatory compliance rule that explicitly requires the use of encryption. However, this is a common focus area during cybersecurity-related regulatory examinations. As such, RIA firms should consider two “areas” of encryption:

Download our Three Elements of Cybersecurity Infographic

  1. Electronic communication: In its April 2019 risk alert, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) noted “staff observed registrants did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails to customers containing personally identifiable information (“PII”).” To address this common deficiency, the MyRIACompliance written information security policy (“WISP”) notes that that staff members of an advisory firm should only provide sensitive information electronically to clients via a secure email or client portal system.

    Some firms may choose to only use a secure client portal to share sensitive information with clients while other firms may prefer to use secure, encrypted email, or a combination of both methods. One of the most common solutions we have seen RIA firms utilize for secure email is ShareFile, a division of Citrix. Whether a firm adopts ShareFile or another similar solution, encrypted email systems generally require the recipient of the email (e.g. a client) pass through a verification process before being able to access the email’s contents.
  2. Device protection: RIA firms should strongly consider deploying encryption technology to protect sensitive information that may be held on company devices such as laptop computers. The MyRIACompliance WISP can require staff members to deploy proper data encryption on all staff workstations such as desktop or laptop computers. “Full disk encryption” is the process of securing the contents of the computer’s hard drive. There are a multitude of encryption solutions available for RIA firms to utilize. However, some Microsoft Windows and Apple operating systems already have built-in encryption tools which firms may wish to consider:

    1. BitLocker: An encryption feature included with Windows versions beginning with Vista. It is included in the Windows 10 Professional and Enterprise versions.
    2. FileVault: An encryption feature included in the Apple operating system. 

We always recommend that firms consult with their information technology provider before deploying any encryption method as there are number of factors to consider. For example, firms should ensure that a full, secure data back up process is implemented, and any data recovery keys are properly stored before implementing encryption technology.

In addition, encryption processes should also be considered in context of other data security tools and procedures such as a implementing a virtual private network ("VPN") and firewall, or requiring staff members to set computers to automatically lock. Unfortunately, protecting sensitive client information requires a combination of strong human and technological defense measures.

Schedule a Demo of the MyRIACompliance Cybersecurity Platform

Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts