Cybersecurity Policies

By: Darius Wood, Fall 2015 Intern

Cybersecurity is increasingly becoming a larger concern. Rule 30(a) of Regulation S-P under the Securities Act of 1933 requires “every broker, dealer, and investment company, and every investment adviser registered with the Commission [to] adopt written policies and procedures” to protect customer records and information. As a growing number of hackers target company systems, investment advisers need to contemplate what measures they employ to protect their clients’ personally identifiable information (PII). The SEC has taken note of this change and begun to require investment advisers to adopt proper cybersecurity policies by imposing monetary fines. Recently, the SEC fined R.T. Jones $75,000 for failing to establish the adequate cybersecurity policies and procedures that ended up allowing a hacker to compromised the PII of approximately 100,000 people.

Investment advisers can drastically improve their cybersecurity policies by focusing on two data security measures, encryption and data retention. Encryption is the process of converting data into a coded form that cannot be read without having a special decryption key. Using encryption techniques, investment advisers can securely store information on their systems. Data retention refers to how long parties store PII. According to the SEC, investment advisers should remove PII from their systems as soon as the information is no longer needed. The best defense against a possible data breach is not having information stored at all, therefore, completely eliminating the risk that data could be compromised at all.

For more tips consult the SEC Investor Alert: Identity Theft, Data Breaches and Your Investment Accounts.