Blog Article

RIA Cybersecurity Compliance: Protecting Non-Public Client Information

Apr 09, 2019

Safeguarding client non-public personal information should be the primary focus of an RIA firm’s cybersecurity program.

 

What is Non-Public Information?

Most registered investment adviser (RIA) firms have access to a variety of personally identifiable financial information for their clients, which constitutes non-public personal information (NPI). For investment advisers, the treatment of this information is governed at a federal level by the Securities and Exchange Commission’s Regulation S-P. This encompasses a broad range of data when it comes to a firm’s clients, who are generally considered to be “consumers” under Regulation S-P. Advisory firms should be aware that many states have their own regulations governing protection of non-public information and similar data, which are often more protective than the federal requirements.

Examples of Non-Public Information

Under federal regulation, NPI generally includes any:

  • Information that a consumer provides in order to obtain a financial service or product from you;
  • Information about a consumer resulting from transactions involving a financial service or product; or
  • Information you otherwise obtain about a consumer in connection with providing a financial service or product to that consumer.

Thankfully, Regulation S-P includes a non-exclusive list of examples of what would be considered NPI:

  • Account balance information and payment history;
  • Information from a consumer report;
  • Information you collect through an Internet “cookie”;
  • Information a consumer provides in an application to obtain a service or product from you;
  • The fact that an individual has obtained a financial service or product from you; and
  • Any other information if it is disclosed in a manner that indicates that the individual is or has been your client.

Notable exclusions from non-public personal information include aggregated information or blind data that does not identify a consumer. That said, given the broad definition of NPI – and particularly the inclusion of information identifying an individual as a client – most of an RIA firm’s technology systems will inevitably contain non-public personal information.

Safeguarding this type of confidential information should be the primary focus of advisory firm’s cybersecurity program. Unfortunately, a cybersecurity data breach involving NPI can lead not only to regulatory issues, but also to significant reputational risk for a firm.  And although there is no foolproof way to safeguard sensitive client information, taking fundamental cybersecurity measures makes an RIA firm a more difficult target. This considerably reduces the likelihood of the firm’s clients’ NPI being illegitimately accessed or stolen by a bad actor.

Example of Regulatory Consequences

In September of 2015, an investment advisory firm agreed to a $75,000 settlement for charges that it failed to establish the required cybersecurity policies and procedures including violations of the Regulation S-P Safeguards Rule. In this particular case, cyber attackers gained access to data on a third party-hosted web server which provided them with unauthorized access to NPI for more than 100,000 individuals. Even though the firm did not receive any indications of clients suffering financial harm as a result of the data breach, the firm was still charged by the Securities and Exchange Commission with failing to adopt written policies and procedures reasonably designed to safeguard client information. The message is clear: RIA firms need to do all they can to help prevent a potential breach, and should one occur, be prepared with a response plan.

Given both the potential regulatory and reputational risk that the exposure of non-public personal information poses to advisory firms, committing to and implementing policies and procedures along with staff training to protect NPI is essential for all investment advisers.