Encryption is a method of protecting sensitive information from access from unauthorized third parties while the data is “in transit” (e.g. via email) or “at rest” (e.g. stored on a laptop computer’s hard drive).
As it relates to encryption, registered investment adviser (“RIA”) firms are unlikely to find any state or federal regulatory compliance rule that explicitly requires the use of encryption. However, this is a common focus area during cybersecurity-related regulatory examinations. As such, RIA firms should consider two “areas” of encryption:
- Electronic communication: In its April 2019 risk alert, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) noted “staff observed registrants did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails to customers containing personally identifiable information (“PII”).” To address this common deficiency, the MyRIACompliance written information security policy (“WISP”) notes that that staff members of an advisory firm should only provide sensitive information electronically to clients via a secure email or client portal system.
Some firms may choose to only use a secure client portal to share sensitive information with clients while other firms may prefer to use secure, encrypted email, or a combination of both methods. One of the most common solutions we have seen RIA firms utilize for secure email is ShareFile, a division of Citrix. Whether a firm adopts ShareFile or another similar solution, encrypted email systems generally require the recipient of the email (e.g. a client) pass through a verification process before being able to access the email’s contents.
- Device protection: RIA firms should strongly consider deploying encryption technology to protect sensitive information that may be held on company devices such as laptop computers. The MyRIACompliance WISP can require staff members to deploy proper data encryption on all staff workstations such as desktop or laptop computers. “Full disk encryption” is the process of securing the contents of the computer’s hard drive. There are a multitude of encryption solutions available for RIA firms to utilize. However, some Microsoft Windows and Apple operating systems already have built-in encryption tools which firms may wish to consider:
- BitLocker: An encryption feature included with Windows versions beginning with Vista. It is included in the Windows 10 Professional and Enterprise versions.
- FileVault: An encryption feature included in the Apple operating system.
We always recommend that firms consult with their information technology provider before deploying any encryption method as there are number of factors to consider. For example, firms should ensure that a full, secure data back up process is implemented, and any data recovery keys are properly stored before implementing encryption technology.
In addition, encryption processes should also be considered in context of other data security tools and procedures such as a implementing a virtual private network (“VPN”) and firewall, or requiring staff members to set computers to automatically lock. Unfortunately, protecting sensitive client information requires a combination of strong human and technological defense measures.