In some respects, an advisory firm’s concern about data security is like a pledge: “We will do everything we can to protect our clients and our firm.”
Understanding your risks and responsibilities is critical when you consider the amount and type of data that is controlled by your firm. There are several best practices to implement right away that will assist in your firm’s data security efforts.
First, you should understand exactly the type of data your firm retains and how it is controlled. Take a complete inventory of every data type and access point. Part of this inventory will include the type of data that is stored locally at your office, whether on a file server, a local machine or some other device. It should also include data that is stored on cloud-based systems like iCloud, ShareFile or Dropbox. A final inventory grouping could be technology providers that store or access your data, like your CRM, portfolio reporting or imaging systems. Ultimately, a key benefit of this exercise is to make sure you are comfortable with all the locations where your data is retained.
Once you have inventoried all your data locations, examine how it is stored and protected. Is the data encrypted? Are there multiple levels of security (e.g., multi-factor authentication)? Can the data be easily removed? These questions are important for data stored at your firm or by a third party.
Sometimes advisors can be too trusting of outside companies handling their data. For example, do you know if your providers allow their employees to remotely access your data? If yes, do they use their own devices or the computers purchased and controlled by the company? Remember it is your data, so it is worth the time and effort to ask these important questions.