02 July 2019
As a reminder, a “Risk Alert” is the SEC’s way of giving you a heads up about patterns of deficiencies during recent examinations. They can help you stay on top of your game.
On May 23, 2019, the SEC issued a risk alert on utilizing third parties to host and store records. Using a third party not necessarily a problem, but it could be if you don’t fully understand what you are using and how it’s set up. If you’re not tech-savvy and/or don’t have the knowledge or resources internally to completely understand and proficiently implement the solution, then it’s probably worth outsourcing to an IT provider that can do the research for you and confirm your configurations are at their best possible setting. Keep in mind, it is your fiduciary duty to have a secure solution for maintaining privacy of your clients’ information.
The SEC wants to see procedures that address the oversight and due diligence of third-party service providers.
If you haven’t already, put together a matrix of your service providers that details:
- the services provided,
- whether or not they are critical to your firm,
- if they have access to sensitive information, and
- whether or not you rely on them for books and records.
Based on the categories above, we recommend you set up a review schedule for each service provider and a questionnaire specific to the service provider and risks. Instead of a questionnaire you could also rely on testing completed by the service provider (e.g., SOC report) or even conduct an on-site visit.
Book and Records
The SEC cited deficiencies for advisers that did not classify the location of records. For some advisers, it can be straight forward, noting simply the hosted provider (such as Office 365) and that all records are stored electronically. For others, it may be more involved if several solutions are being utilized and the records storage varies from electronic to hardcopy.
We highly recommend undergoing a Books & Records exercise to identify:
- where the record is located,
- whether it’s hard copy or electronic, and
- who’s responsible for maintaining that record
Completing this exercise will prepare you for when you undergo an SEC exam, and it aligns with the GDPR requirements for privacy on EU clients.
We created a Books & Records Matrix for you for this exercise. It lists all of the required records and their required retention periods from the Advisers Act and is set up as a template for you to populate. Request your copy of the Books & Records Matrix template.
Review of Current Systems
The SEC identified concerns of advisers not adequately configuring security settings for their network storage solutions.
In your Cybersecurity policy, we recommend a policy to review your current security configurations. You want to make sure you are taking advantage of the securities settings available to you. For example, one simple and effective tool is multi-factor authentication. Most cloud providers, such as ShareFile and Office 365, offer this solution, but you do have to activate it. This one step can reduce the risk of unauthorized access. We also recommend hiring a third party to conduct a vulnerability scan. This usually entails landscaping the current environment at your firm, the controls in place and any gaps or holes along with the recommendations to tighten security controls.
With the way that the world of technology is everchanging, it’s important to keep in mind that these are not one-time suggestions. To keep abreast of information security, it’s important to schedule regular reviews of your service providers, your processes and policies around safety of client records, and the configuration of your software and applications. Basically, the most important take-away from this Risk Alert is to have a solid due diligence process in place, and if you don’t have the resources to achieve certain aspects of that, outsource to someone who can help you meet your fiduciary obligation.