If your firm already has been subject to an audit, you’re aware of what the SEC is looking for during their visits. If you’ve yet to be audited, the idea may inspire feelings of dread or concern. As scary as it may be, it’s important to understand that the SEC is merely ensuring that best practices are being followed and that you’re doing everything within your power to protect the data you handle on a daily basis. If you’re doing your job correctly, a visit from the SEC will become a routine opportunity to refresh your firm’s understanding of its policies
The U.S. Securities and Exchange Commission (SEC), which was created by the U.S. Congress to ensure that the security of financial markets and interests of investors are protected, visits registered investment advisor (RIA) firms to conduct “for cause” and surprise audits. A total of 1,447 SEC-registered investment advisors were audited in 2016, and it was estimated that another 1,750 would be in 2017 to ensure they met SEC requirements, according to the 2018 Congressional Budget Justification Annual Performance Plan and 2016 Annual Performance Report.
So what exactly is the SEC looking for when they visit an RIA firm? As far as your technology is concerned, there’s no doubt they’ll check to see where you stand regarding these six key considerations:
1: Organized Records
Without organization, a firm can’t maintain any true level of security. Have you ensured that everything has a place and is in its proper place? Dated and alphabetized records should be kept secure at all times, and hardcopy files of data that you have digitally should be kept in secure, locked filing cabinets. Additionally, obsolete records should be disposed of securely and immediately to prevent their contents from being stolen or misused.
2: Presence of an Acceptable Use Policy
An Acceptable Use Policy (AUP) is a document that ensures all of your employees are on the same page regarding data handling, network usage, and security. An effective AUP prepares your firm for a host of eventualities and enables you to clearly document the rules regarding how data is handled, transmitted, and stored. Without it, you put your clients’ interests in jeopardy every time someone accesses their files, so set your firm straight immediately.
3: Evidence of Secure and Compliant Data Storage
There’s a lot that can be said about data storage and the guidelines pertaining to the types of storage facilities that are acceptable among auditors such as the SEC. Following news of a security breach at Dropbox, the safety of cloud storage facilities and online sharing networks were called into question. It’s now more important than ever to do your due diligence when it comes to offsite storage of your information. What have you done lately to ensure your data is — and remains — secure?
4: Multilayer Security
The SEC will be looking for evidence that you’re protecting your clients on every level, including data storage, the transmission of information, and your cloud storage solution.To determine your current level of security ask yourself the following questions:
- Are the devices password-protected and secured with PIN entry?
- Are you using a private Wi-Fi connection?
- Are emails and sensitive data protected by encryption software?
Everything that a client’s data comes into contact with should have a layer of security attached otherwise, there’s always a risk that it could be compromised.
5: A Means of Identifying Risk and a Disaster Recovery Plan
While it's important to prevent security breaches and to minimize the damage that results from viruses, how do you identify an issue in the first place? As an RIA, you need to be on the ball at all times, and the SEC will expect to see a number of procedures in place for ensuring you're prepared in every possible way. Similarly, it’s essential to have a Disaster Recovery Plan in place, assisting you through every step, should a disaster occur. Regardless of whether you’re expecting a visit from the SEC, it’s a good idea to be familiar with such protocols and to know what to avoid.
6: Previous Experience with Cybersecurity Threats
The types of threats your firm has previously experienced — and how you dealt with those risks to your firm and its data — are of great interest to the SEC. Such information will enable them to work through your procedures to ensure that any mistakes aren’t replicated.
Remember, the SEC doesn’t assess security measures to point out your flaws; its goal is to understand how your firm handles data and what protective layers of security you have in place. Just as a technology audit will help you to discover and address issues with your software and equipment, a security audit will help you to identify problems before they become issues. The security of your company’s data — and that of your clients — is paramount to the success of your firm.
What are you doing to help protect your clients and to ensure your firm remains in compliance with SEC requirements? Share your thoughts and experiences in the comments box below.