In some respects, an advisory firm’s concern about data security is like a pledge: “We will do everything we can to protect our clients and our firm.”
Understanding your risks and responsibilities is critical when you consider the amount and type of data that is controlled by your firm. There are several best practices to implement right away that will assist in your firm’s data security efforts.
First, you should understand exactly the type of data your firm retains and how it is controlled. Take a complete inventory of every data type and access point. Part of this inventory will include the type of data that is stored locally at your office, whether on a file server, a local machine or some other device. It should also include data that is stored on cloud-based systems like iCloud, ShareFile or Dropbox. A final inventory grouping could be technology providers that store or access your data, like your CRM, portfolio reporting or imaging systems. Ultimately, a key benefit of this exercise is to make sure you are comfortable with all the locations where your data is retained.
Once you have inventoried all your data locations, examine how it is stored and protected. Is the data encrypted? Are there multiple levels of security (e.g., multi-factor authentication)? Can the data be easily removed? These questions are important for data stored at your firm or by a third party.
Sometimes advisors can be too trusting of outside companies handling their data. For example, do you know if your providers allow their employees to remotely access your data? If yes, do they use their own devices or the computers purchased and controlled by the company? Remember it is your data, so it is worth the time and effort to ask these important questions.
How closely have you read the contracts and agreements between your firm and providers that have access to your data? In the event the data is compromised, is it clear who is responsible for addressing the problem? Who must notify the affected parties? The worst time to try to answer these questions is when a problem occurs and you are trying to determine what needs to be done (or not). Unfortunately, there can be a lot of finger pointing when these events occur, which can lead to a lack of alignment in how to address the problem. Planning now with your staff and service providers will deliver significant benefits in the unfortunate event that a data breach occurs.
Another important aspect of securing your firm’s data is having clear policies and procedures for your staff to follow. You can spend a tremendous amount of money on technology infrastructure, encryption tools and security software, but unfortunately this will not always prevent a staff member from being careless or naïve about protecting your firm’s data. Too often we hear stories about firm employees who had no idea private information was inadvertently stored on their hard drive, or that their login credentials were compromised because they used an unsecure internet connection, or that all their contacts were easily accessible when their iPhone was stolen.
Your firm’s policies and procedures must be clear regarding what your staff is allowed and not allowed to do in order to better protect your firm’s data. Some businesses (both small and large) require their employees to carry two mobile devices: one owned by the company and the other for personal use. This is a very conservative approach, but it definitely can make sense depending on the employee’s position and the level of control necessary to protect business data.
Finally, don’t forget about regulatory rules in regards to data security and retention (FINRA, state and SEC, depending on your type of firm) that must be incorporated into your firm’s policies and procedures.
The reality is the amount of data available and retained by financial firms increases every day. With the right amount of attention and focus, you should be able to better protect your firm’s data and minimize the problems that can arise from inadequate data security. Therefore, be diligent with your data security efforts so that a problem is not magnified simply because of the passage of time.