By now, the awareness to better define and document protection of critical information, strengthen data security procedures as well as integrate incident response plans is well understood at all levels of business. Recent breaches (Target, Disney, OPM) only confirm such and lead to significant legislative and regulatory actions including those recently by FINRA and the SEC.
The 2016 FINRA Regulatory and Examinations Priorities Letter raised the bar for expectations of IBDs and their advisors. Requirements, now closely resembling previous SEC guidance, now demand comprehensive policies and procedures, testing and the training of associated and involved persons, as well as documented and proven incident response plans. These new expectations flush to the surface many previously overlooked, misunderstood, or un-addressed issues. Below are the top 5, in no particular order, based on actual client feedback:
Clients are actually that of my broker-dealer so the responsibility is really theirs
While it is true that IBD’s have their own data security responsibilities, a branch and/or registered representative is responsible for data while they utilize, store, or share with their discretion. Areas include storage, backup, vendor access (including web based SaaS vendors), mobile devices, paper files, etc.
My broker-dealer will step in and be "in my corner"
Most IBDs provide generic, broad policies related to data security and incident response and in some cases have even purchased cyber liability insurance. But, be assured that the liabilities and remediation costs associated with such will first fall on the incident place or origin. IBDs have the “oversight” liability but Branches and Representatives will find they will be responsible for the management of the cause and incident and prove that best practices, comprehensive policies, training and testing were all in place prior to such events to avoid additional penalties.
'We only use the web and don't store any date on site,' or 'we only use paper files'
The internet offers speed and convenience both to those with good and bad intentions and therefore access to critical data can be accomplished in many ways though the web. Limiting or restricting Internet use, without questioning the practicality of such, does not limit data exposure since 60 percent of incidents originate from paper and people activities. Vendor vetting and management is increasingly important as advisors share and expose such without client consent. To clarify, data placed by a registered representative inside a web-based software platform is still their responsibility.
We have been inspected by FINRA twice in the past 4 years and they never addressed data security
The simple answer here is “things change." The need to regulate cyber/data security is widespread, impacts all levels of business, and will only accelerate in the foreseeable future.
Really, we are way too small to be a target
There's no exclusions or exceptions for those who have valuable information to avoid the responsibility to protect it with best practices and procedures.
Mike O'Shaughnessy is Vice President of Guidance at Advisor Armor.