Registered investment advisors (also written as registered investment advisers, or RIAs) have an incredible responsibility to secure and protect the data of their employees, clients, and investors — no matter whether they reside in Los Angeles, the greater United States, or even the European Union (EU). They do this in part by abiding by the industry’s computer security compliance standards.
Because RIAs are entrusted with handling highly sensitive personally identifiable information (PII) and financial data, there are industry regulations in place that are designed to help ensure that your firm upholds certain security compliance standards concerning the protection of said data. Some of the regulatory bodies that enforce these regulations include the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). For RIAs who handle information of people who reside in the EU, they also must be compliant with the EU’s General Data Protection Regulation (GDPR).
For example, the SEC regulates investment advisors who have $110 million or more in client assets under management (AUM), whereas those who manage less than $100 million must register with the state securities agency in their state of operation. In the “grey area” between $100 and $110 million, RIAs can elect to register with the SEC but are required to do so once their AUM surpasses the $110 million threshold.
The SEC focuses on assessing whether RIAs follow best practices and do everything possible to protect sensitive client and investor data. As such, according to the 2018 Congressional Budget Justification Annual Performance Plan and 2016 Annual Performance Report, more than 1,440 SEC-registered investment advisors were audited in 2016, and it was estimated that another 1,750 would be audited in 2017 to ensure they met SEC requirements.
But, how does meeting and abiding by computer security compliance standards give your organization a competitive edge?
Cybersecurity Risk Assessments Enable Better Data Protection
Being proactive means not waiting until something goes wrong and client PII and financial data are exposed before adhering to computer security compliance standards and best practices. RIAs can run periodic security risk assessments to gain an in-depth assessment of their existing security protocols and policies to identify gaps in security or areas of improvement before they become problems.
According to a guidance document by the SEC’s Division of Investment Management, there are multiple components to what can (and should) be assessed:
“(1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.”
These types of assessments can be performed either by your in-house IT security team or a managed security service provider (MSSP), like FPA, which is highly equipped and trained to handle these procedures.
There are many benefits of using an MSSP’s services over leaving computer security compliance and cybersecurity protections in the hands of an in-house team — one of the greatest being that partnering with an MSSP frees up your team to handle other pressing in-house security concerns. You also never have to worry about someone being available to handle issues that arise because Joe in your in-house IT security team took a much-deserved vacation for two weeks. An MSSP also can help you to:
- Establish computer security compliance standards and employees for your firm that employees must follow;
- Monitor and provide support in response to events and to maintain your RIA firm’s security; and
- Schedule and perform critical network and IT system support upgrades and patching during hours that are convenient for your firm.
Form ADV Shows YouR Firm Values Security Compliance
The Form ADV is a two-part document that contains pertinent information about the RIA’s firm and any issues they may have had with clients or regulators, as well as a breakdown of their services, strategies, and fees. This is a document that every compliant RIA should be able and willing to provide to prospective clients and investors. It’s advantageous to these groups to review this form because if your firm has been found to be noncompliant with any standards or is disciplined for concerns, including cybersecurity noncompliance issues, they need to know.
An updated form must be delivered to clients whenever there is a new disclosure of a disciplinary event or a change to previously disclosed disciplinary information. Providing this information can help you build greater trust and credibility with existing and prospective clients.
Being Certified Provides Additional Credibility to Your Firm
Although there technically isn’t licensure required to be a registered investment advisor, RIAs who receive their chartered financial analyst (CFA) and chartered investment counselor (CIC) credentials are demonstrating a higher level of credibility than their non-certified professional counterparts.
If you show credibility and respect for adhering to compliance standards in these areas, then that care and concern can be viewed by clients as carrying over into other areas of compliance as well, including computer security.
As an RIA, there is so much that you can do to increase your firm’s success and prosperity — and improving your computer security compliance is one of them. Enhanced security compliance can help to boost your firm’s competitive standing in the industry by underscoring that the security and protection of your clients’ data is a top priority.
To learn more about the ways that you can improve your computer security compliance efforts as a registered investment advisor firm, check out our complimentary resource by clicking on the image below. If you have questions about SEC and FINRA compliance, our team of IT security experts is here to help.
What are you doing to help protect your clients and to ensure your firm adheres to the computer security compliance standards outlined by the SEC and FINRA? Share your thoughts and experiences in the comments section below.