As a principal or Chief Compliance Officer’s (“CCO”) of a registered investment adviser ("RIA) firm, you should already know you’re expected to meet the cybersecurity standards outlined by the Securities and Exchange Commission (“SEC”). From our experience working with over 2,000 RIA firms, we understand that it is important to be informed of what regulators are looking for and how to develop a compliant cybersecurity program. Read on as we explore the cybersecurity topic of data loss prevention and some measures you can take to protect sensitive data.
The SEC defines Data Loss Prevention as “a strategy embraced and enforced by an organization to ensure that end users (employees, owners, vendors, etc.) do not send sensitive or critical information outside the corporate network.”
Regulators like the SEC will focus on your firm’s policies and procedures and the execution of security measures to prevent the loss of sensitive client and proprietary firm data. RIA firms will need to demonstrate how their security measures strengthen their ability to identify, monitor, and protect data at rest, in use, and in transit.
There are three components under the Data Loss Prevention umbrella:
- How does your RIA firm store, access, and transmit data?
As a best practice, take inventory of your firm’s data and note its digital storage location on the network or physical location in the office. Next, classify all pertinent data as public, private, or protected. Your firm should consider encryption to protect sensitive data if you do not already have this strategy in place.
Use the following questions to assess your cybersecurity program:
- In what quantities is data transferred? Is there ever a need to access and/or transmit client, or multiple client data, in bulk? Are these processes tightly controlled?
- In what fashion is data transferred and for what purposes? Are processes and policies in place to minimize all sensitive data transfers to “business critical” functions? Do all staff know what allowable transfer mechanisms are and what defined circumstances allow such transfers?
- Is it possible to transfer the data to entities outside the firm and to whom, etc.? What processes are in place to “verify/authorize” outside recipients?
Regulators may be interested in whether your firm can monitor and verify who can access data, and whether that data can be moved or copied in unauthorized manners. Finally, have you trained your staff properly on what specific data is not to leave the company, or if it is okay to leave the company, under what conditions and methodologies only?
- What processes, procedures, and mechanisms are in place to identify and categorize, control and limit access to, and identify misuse of data?
Have your technology support team run reports to clearly define “who has access to what.” It is generally unacceptable to store data in a manner where everyone has “wide open” access to everything.
Regulatory examiners will be looking for evidence that your RIA firm has processes and procedures by which you identify and classify your data in all its forms, especially for Non-Public Information ("NPI") like social security numbers, account numbers, addresses, and phone numbers.
- Do you have an ongoing process or system to identify, address, and remediate known security issues within your network and computer systems?
You should demonstrate how your firm continuously monitors your system for potential vulnerabilities, and how you can “patch” known vulnerabilities until a long-term solution can be implemented. Patches are defined as software code fixes that repair vulnerabilities, such as broken functionality, add new functionality, or fixes security holes in software. Have your technology support team run reports on the “patching status” of all computers in your firm. You should strive to have all systems fully patched within no more than 30 to 45 days of patches being made public.
It's also important to note that data loss prevention is just one of seven areas of investment adviser cybersecurity focus most recently highlighted by the SEC. The seven areas highlighted by the SEC were:
- Governance and Risk Management
- Access Rights and Controls
- Data Loss Prevention
- Mobile Security
- Incident Response & Resiliency
- Vendor Management
- Training and Awareness