As registered investment advisors (RIAs) have digitized their firms, the risk of data breaches has grown significantly. Loss exposures have intensified, and so has the danger of attracting regulatory scrutiny should your firm fail to safeguard customer data.
Even though cybersecurity has become a hot-button issue in recent years, it’s not exactly new. The Gramm-Leach-Bliley Act of 2001 (GLBA) required all financial institutions, including RIAs, to adopt a privacy policy. It also mandated consumer disclosure of that policy and gave customers and non-customers the right to opt-out of releasing their information to third parties.
GLBA’s consumer privacy provisions were contained in GLBA’s “Financial Privacy Rule.” But the law also included a “Safeguards Rule” that was pivotal in defining RIA’s cybersecurity obligations. Financial institutions and RIAs are required to create a Written Information Security Policy (WISP). WISPs described methods for protecting customers’ personal information. They also require RIAs to perform a rigorous risk analysis of how their personnel handles data and to develop and test a protocol for securing private information. Then, when an RIA firm changes the data it collects, it must also update its WISP.
Since GLBA arrived on the scene two decades ago, there’s been a growing push to require financial institutions and businesses, in general, to safeguard customer data. GLBA’s provisions were initially clarified through the FTC’s Rule 313 n (applying to state-registered RIAs only) and through SEC Regulation S-P for RIAs subject to federal oversight. Furthermore, the implementation of Europe’s General Data Protection Regulation (GDPR) in 2018, along with the advent of data-security regulations in New York, California, and Massachusetts, among other states, has increased compliance pressure on state-registered RIAs. The Security and Exchange Commissions’ (SEC) cybersecurity focus has also sharpened dramatically in recent years.
Why You Need a WISP
Given these developments, the need for RIAs to develop their own WISP is easy to see. They must carefully design them to make sure personal data remain confidential and protect information against external or internal threats and unauthorized access or use.
The main goal of a WISP is to protect non-public personal information. This applies to personally identifiable financial information the public usually can’t access, including:
- Client Social Security Numbers
- Driver’s license numbers or other state-issued ID numbers
- Financial account numbers or credit/debit card numbers (including security codes or other information needed to access the account)
WISPs must also document the written policies and actions RIAs will take following a data breach, including reporting the incident, diagnosing its scope and remediating the breach to prevent further losses. A WISP should also direct firm principals to notify the SEC or state regulators of a data breach and clients whose data was compromised.
Writing your firm’s WISP depends on whether you’re an SEC-supervised RIA or subject to state supervision. If you’re the former, then your WISP should conform to the SEC’s Regulation S-P and the Gramm-Leach-Bliley Act. If you’re the latter, you should also comply with GLBA’s Safeguards Rule. State-supervised RIA’s should also adhere to their jurisdiction’s privacy and data security statutes.
The Benefits of Having a WISP
Creating a WISP isn’t a trivial exercise. If you own or lead an RIA, you might wonder whether the benefits of having one outweigh the time and expense of developing it. Putting the importance of legal compliance aside for the moment, having a WISP makes a great deal of sense for all RIAs. The benefits it affords are compelling since it:
- Defines who’s authorized to use client data and the responsibilities that come with that access.
- Makes firm principals, employees, vendors and other parties accountable for wisely using client information. If they don’t, the WISP defines consequences for non-compliance.
- Identifies and commits to data security best practices and educates company staff and third parties about those standards.
- Lays down actions needed to mitigate security threats before and after a breach.
Of course, WISPs also have a pivotal role in demonstrating to federal and state regulators that your firm is serious about safeguarding its customer data. But what if your state doesn’t have governing statute or regulation? Do you still need to develop a WISP? Many compliance experts recommend that you should since having one will help construct a legal defense if your firm gets sued following a data breach.
Finally, developing a WISP will allow you to strengthen your cybersecurity procedures. Since malicious actors constantly revise their attack methods, creating a WISP will ensure that your defense cordon remains current.
Implementing your WISP
A WISP isn’t a “do once and shelve” document. It should be a living resource that’s updated at least annually. As threat vectors evolve, so should your WISP. It should also respond to changes in cybersecurity regulations. Finally, if your business has grown—for example, entering a new product or service area—your WISP should consider that. In short, if your current defensive measures have fallen behind today’s threats, revising your WISP should help you close your security loopholes.
The Risks of Unencrypted Mobile Devices
Your WISP should address mobile device threats. When your staff uses unencrypted smartphones, tablets, and laptops, they put the information on those devices at risk and threaten the security of your entire IT system. Accordingly, your WISP should define policies to ensure that both firm-owned and employee-owned mobile devices being used at work don’t endanger client data.
The Need for Cyber Liability and Data Breach Insurance
Even with a robust cybersecurity policy, it’s inevitable that a hacker will penetrate your defenses or an employee will make a mistake that sparks a cyber breach. Many RIAs today purchase Cyber Liability & Data Breach Insurance to pay for the expenses involved in these contingencies. How does this form of insurance work? It provides two levels of protection: first-party and third-party.
First-party protection means the policy helps you mitigate a breach’s negative impact on your practice. It does this by paying for things like:
- Investigation: hiring a forensics IT expert to determine how the breach happened and to fix the security hole.
- Ransoms: meeting a cybercriminal’s payment demand to unlock your computers, especially if you lack a current system backup.
- HIPAA fines: providing funds to cover HIPAA penalties or other fines resulting from the incident.
- Public relations: hiring a PR or crisis management firm to help stem customer defections after a data breach.
- Client credit monitoring: providing credit monitoring to all parties involved in the incident.
- Notification expenses: letting affected clients know their personal data was released in a data breach.
- Legal advice: retaining an attorney to counsel you on the legal impact of the attack.
- Business interruption support: providing cash to replace income lost due to your inability to operate your business after the cyber breach.
Third-party protection means the policy helps you deal with third-party liability litigation. In other words, your policy will provide funds to retain an attorney to defend you and to pay for legal settlements and judgments imposed on you if a cyber incident results from your negligence.
Put first-party and third-party coverage together, and what do you get? A robust safety net to address most cyber-related RIA risks. If you have yet to purchase such a policy, learn about the coverage options available from 360 Coverage Pros.
Paying too much for your RIA’s Cyber Insurance, or haven’t purchased a policy yet? Consider 360 Coverage Pros for both your E&O and Cyber Liability & Data Breach Insurance policies.
Our E&O insurance for RIAs, investment advisor representatives, registered representatives and financial planners starts at $141.75 per month.
