Firms should keep all such information secured on cloud-based computer systems, know in real-time when anyone accesses this information on their systems, which individuals access the information, which software and devices they are using to do so and where the devices are located during those sessions. Furthermore, if inappropriate activity is detected—like from an unknown user or an unapproved device—the firm should be able to end that session remotely.
2. Don’t assume regulators recognize advisor “ownership” of client data. In the independent broker-dealer space, it has been customary to view the advisor as owning client data. But as the recent Massachusetts fine against Summit makes clear, that’s no longer a certainty insofar as regulators are concerned.
Whether they like it or not, independent broker-dealer and RIA firms should be prepared to take a harder stance with exiting advisors over sensitive client data, by blocking access to any confidential information left on the firm’s system past the advisor’s date of departure.
When anyone materially linked to the firm exits, their access to any confidential information that regulators deem within the purview of the firm also should end. With DIY advisors using their own software and hardware, the firm still has to determine which data it has regulatory responsibility for protecting.
3. Keep clear records for the regulators. It’s one thing to track and restrict access to confidential data, and an entirely different thing to document those efforts in a meaningful way for regulators. Firms should keep detailed and clear audit logs of activity on their systems. If data breaches occur, the firm also should document remediation steps that decision-makers take to prevent future lapses.
This way, if an SEC or Finra audit occurs, examiners will have comfort that the firm followed its own compliance guidelines in addition to regulations on data safety. It may save the firm from costly fines, reputational damage and legal entanglements.
DIY Ready
Adhering to these three cardinal rules with DIY advisors might require firms to revamp their data oversight by automating much of the process with a single cybersecurity solution that is comprehensive, and seamlessly integrates data protections for home office and third-party platforms.
As long as DIY-minded independent financial advisors can select their own software and hardware—and there are many sound reasons for allowing them to do so—independent broker-dealer and RIA firms can leave precious little to chance.
Sid Yenamandra is the co-founder and CEO of Entreda, the leading provider of comprehensive cybersecurity solutions for independent retail financial advice firms and their affiliated advisors.