Two common themes that have appeared during recent regulatory exams are the integrity of client assets and the integrity of clients’ information. As to the former, the issue is whether client assets are where they are supposed to be. As to the latter, the issue is whether advisors are maintaining client information in a secure and confidential manner.
The confidentiality of client information has become increasingly more important in the following situations:
- An advisor who shares offices with individuals or entities unrelated to the firm
- Other individuals who may have access to firm offices, including a landlord, managing agent, security personnel or cleaning staff
- Vendors or service providers that may have direct access to client or firm information, especially electronic information, such as IT consultants, shredding services, or document and information storage providers
There is a corresponding related question on the most recent SEC exam that inquires as to the identity of the firm’s vendors, how the firm found them, any due diligence undertaken, and the steps the firm has taken relative to those vendors to protect confidential client information.
It goes without saying that all firm employees and representatives should execute a confidentiality agreement, but what about the other players referenced above? Should they be requested to execute a confidentiality agreement? It depends upon to whom you are making the request. You will have more leverage to require such an agreement of individuals with whom you share office space or hire to provide services (e.g., IT vendors) than you will have with respect to the landlord, especially post lease execution. In all cases, request a confidentiality agreement when you initiate a contract, but especially relative to the landlord or managing agent. You will have more leverage to request confidentiality as part of lease negotiations than subsequent to execution of the lease.
The same timing pertains to vendors, but unlike a landlord, a firm will generally have more leverage relative to terminating a vendor on short notice than it would relative to a lease that may be for a term of several years. In addition, if the landlord or managing agent hires security and cleaning personnel, you can ask the landlord to execute the confidentiality agreement on their behalf and accept responsibility for their conduct. At the very least, you should document that you made an inquiry as to the screening process utilized by the landlord or managing agent prior to hiring such personnel or service providers.
I refer to the above confidentiality issues in a firm’s policies and procedures, and include corresponding forms of confidentiality agreements. Will having these agreements executed ensure that all those who have access or entry will not view or utilize confidential information? Of course not, but doing nothing is not an alternative. It is important for all those who may have access or entry to appreciate your position and the heightened sensitivity to confidentiality. If the landlord or managing agent will not execute, I recommend you send a tactful letter to the landlord or managing agent acknowledging his or her refusal to execute the agreement. Remind the landlord of his or her confidentiality obligations, as well as those of anyone to whom he or she may grant access to the firm’s offices.
Many services providers, especially national firms, will include confidentiality provisions in their contracts with the advisory firm. Those provisions are generally sufficient. However, as to information or document storage providers, you should also make inquiry as to their respective procedures to safeguard the information with which they are entrusted.
The above will not insure against security breaches, but, as previously indicated, doing nothing is not an alternative.