From the March 2012 issue of Investment Advisor • Subscribe!

March 1, 2012

How Serious Are You About Securing Your Data?

In this day and age, advisors can’t afford to get sloppy with security

More On Legal & Compliance

from The Advisor's Professional Library
  • Conducting Due Diligence of Sub-Advisors and Third-Party Advisors Engaging in due-diligence of sub-advisors isn’t just a recommended best practice— it is part of the fiduciary obligation to a client. An RIA should be extremely reluctant to enter a relationship with a sub-advisor who claims the firm’s strategy is proprietary.
  • Risk-Based Oversight of Investment Advisors Even if the SEC had a larger budget and more resources, it is doubtful that the Commission would have the resources to regularly examine all RIAs. Therefore, the SEC is likely to continue relying on risk-based oversight to fulfill its mission of protecting investors.

Advisors today have access to more client data than ever before. This includes Social Security numbers, multiple addresses of record, beneficiary information, salary, employment data, net-worth details and tax returns. Recently, new laws and regulations have been promulgated by states and federal authorities that govern how personal data must be handled. How well you safeguard your clients’ valuable data can be either a selling point or a trouble spot for your firm. 

Perhaps the device that stores most of your clients’ confidential financial information is a server in your office. Basic safety guidelines should lead you to house the server in a separate room and protect it in a locked server cage. In addition, the data on the server should be encrypted. Many firms use the capabilities inherent with Windows Server 2008 R2 for encrypting data. It is not a difficult process to establish, but I do recommend that you work with your IT consultant on the effort. The most challenging part of this task is making sure that all associates can still access the same files after their server is encrypted. Another important factor to understand is that each time the server is rebooted, the encryption key code (a distinct PIN) must be entered in order to unlock the data on the server. This is how encryption provides additional security in the unfortunate event that your server is stolen.

You should also consider encrypting confidential data stored on any computers used by your firm. Keep in mind that encrypting data on your server does not also encrypt data stored on desktop or laptop computers, even though they may be connected to the server. The best practice is to not store any confidential information on desktops, laptops or mobile devices, especially considering how easy it is for these devices to be stolen. However, if this is unavoidable, the Windows 7 Ultimate version provides encryption capabilities.

There are firms that outsource their technology infrastructure and data storage to firms such as Barracuda, Egnyte or Evault. Essentially, confidential data are stored on servers at the outsourced company’s facilities. These outsource data companies implement sophisticated security systems and policies to protect the data that they maintain on behalf of their clients. However, don’t forget to document on a regular basis (perhaps annually) that they are continuing to meet their obligations and that they have not had any data breaches. Consider sending a simple email to the provider asking these questions and then documenting the response.

It is well-known that email is not secure. Therefore, it is important to secure any confidential information and attached documents transmitted through email with some form of security, such as password protection. This practice also applies to any service that uses email to transmit information to your firm. For example, if you use an outsourced service to receive faxed documents by email, then the fax service too should have security in place.

It is somewhat ironic that many firms spend a fair amount of money and time to protect their clients’ confidential financial data stored electronically, then forget about the paper documents containing the same information. Does your firm have a policy to lock up any confidential financial documents, or are they left in the open on a desk or table? Who has access to your office during off hours? It is a simple idea and it takes little effort to lock away these documents so that they are not easily accessible to curious eyes.

Securing your client’s confidential financial data clearly involves both capable systems and clear procedures. In meeting this task, your firm might use internal as well as external solutions. However, protecting this information is a responsibility that should be shared across your entire firm. From the intern to the founder of the firm, everyone should be accountable for protecting this valuable information.

Reprints Discuss this story
This is where the comments go.