For most financial advisors, regulatory compliance is not a favorite part of their job. In fact, they often express negative opinions about it. But when it comes to assuring client privacy, the industry has an effective regulatory framework that advisors should vigorously support. However, the threats to client privacy are so pervasive that mere regulatory compliance isn’t enough.
For example, according to the a 2016 Ponemon Institute study, the average total cost of a data breach last year was $4 milllion, which amounts to a per-record cost of $158. The study also found that the chances of a firm suffering a data breach involving at least 10,000 lost or stolen records over a two-year period was 26 percent. How many client files are on your computers, and could you afford a financial hit equal to $158 per hacked record? We thought so.
What to do? Start by complying with today’s privacy regulations. Most advisors are familiar with the the requirement to give customers a general description of their privacy policies and procedures. It also requires advisors to detail the types of information they collect as well as the information they disclose to affiliates and non-related third parties. Finally, it mandates giving clients the ability to opt out of the sharing of certain types of information.
But don’t stop there. Raise your game by using the document to help guide your business practices. For example, do you decline to give marketing vendors information that isn’t on your privacy notice? Do you collect certain pieces of non-public information (NPI) without informing your clients (and updating your privacy notice)? In order to make this regulation effective, you should stive to make your business procedures totally in synch with your privacy statement.
The other big piece of today’s privacy regulation is Section 30(a) of the the SEC’s Regulation S-P—the so-called “Safeguard Rule.” In a nutshell, this rule requires securities professionals and investment advisors to formulate written policies and procedures designed to protect customer information against unauthorized access and use. In other words, it’s no longer enough to just disclose the confidential information you’ll collect and use. You must also keep that information safe while it’s under your control.
Regulators suggest advisors take common-sense steps to this end such as keeping client files in locked rooms or in a locked cabinet. Or making sure staff have a legitimate reason to be working with client information. Or shredding old files, password-protecting computers, and mandating the use of screen savers to keep client data away from prying eyes.
But again, the mounting threat level suggests that advisors have to raise their games accordingly. According to the law firm of Quarles & Brady, the recent Morgan Stanley Smith Barney case (in which an advisor copied 730,000 customer data files to his laptop computer, which was then hacked, resulting in the customer information being sold on the Internet to criminals) suggests that financial advisors need to think one move ahead in countering these threats. For example . . .
- They should not only have safeguards, but also must stress-test them to make sure they’re effective in the real world.
- They should also be aware of which staff members are accessing what type of data and even conduct spot checks as needed.
- Finally, they should have their IT experts install methods of preventing transfer of customer data to outside computers.
The point is this. To shield client information against hackers, financial advisors must not only follow the regulations, but also raise their games accordingly. Yes, it’s a hassle, but the payoff in terms of greater client safety, customer satisfaction, and firm reputation—and of lower E&O insurance exposure—is immense. Next move . . . yours!
For information on affordable E&O insurance for low-risk insurance agents, investment advisors, and real estate broker/owners, please visit EOforLess.com. For information on ethical sales practices, please visit the National Ethics Association’s Ethics Center.