Data Protection: Privacy, Identity Theft and Cybersecurity
In the past several years regulatory scrutiny of data protection has expanded from basic issues of privacy, to requirements for dealing with identity theft, to detailed assessments of firm-wide cybersecurity. Advisers and brokers are now facing the reality of continually reassessing their efforts to prevent, detect, and respond to a constantly-changing risk.
Investment advisers and broker-dealers cannot conduct business without gathering and maintaining customer information. Federal and state regulators are mandating strict controls and procedures to help ensure that this information does not fall into the wrong hands. In its examinations, SEC staff focuses heightened attention on a firm’s information security or “safeguarding” controls for protecting client information. Businesses must also be aware of the increasingly strict state laws setting minimum criteria for information security.
The SEC and CFTC have followed FINRA in adopting identity theft red flags rules applicable to regulated entities. Certain investment advisers may be subject to these rules depending on the type of authority they are provided by their individual clients or private fund investors. Covered firms are required to adopt policies and procedures for detection of and response to identity theft.
The SEC Office of Compliance Inspections and Examinations released two Cybersecurity Risk Alerts: the first in 2014 announcing a sweep examination initiative to determine the current state of cybersecurity preparedness; and the second in 2015 sharing the results of the sweep initiative. The widespread release of this initiative clearly signals the SEC’s desire to have all registered firms develop and implement thorough, well-documented cybersecurity programs tailored to meet each firm’s own business model.
This seminar is designed to help you understand what the regulators are expecting firms to do and to give your firm the tools to effectively design and implement an information security program. Expert instructors will discuss the core principles of privacy, identity theft and cybersecurity to increase preparedness and help firms map policies and procedures to their particular risk profile.
Topics to be discussed include:
- Privacy of Consumer Financial Information (Regulation S-P)
- Regulation S-ID: Identity Theft Red Flags
- Developing a cybersecurity risk assessment
- Using personal devices for business purposes
- Pros and cons of cloud computing
- Due diligence of third-party vendors and special concerns when outsourcing IT
- Written policies and procedures
- Integrating cybersecurity into your annual review
- Resources for determining best practices
- What to do when a security breach occurs
- Employee training
- Insurance coverage
After completing this course, attendees should be able to:
- Identify Regulation S-P requirements concerning privacy notice delivery and create firm-wide policies and procedures concerning privacy practices
- Decipher the safeguarding requirements under Regulation S-P
- Outline strong internal controls to identify and assess the red flags of identity theft and data breaches, effective safeguards for controlling these risks, responses to information breaches and recommended steps for preventing them, and reasonable monitoring and testing of your safeguarding program
- Examine the efforts on the part of the states and the SEC to impose broader and more specific requirements on firms that collect personal information
- Conduct a cybersecurity risk assessment to help identify and manage related risks
- Establish a protocol for documenting the firm’s cybersecurity preparedness in written policies and procedures
- Assess the role of technology in both the problems and solutions related to the firm’s cybersecurity
- Help your firm gauge its cybersecurity preparedness and implement an appropriate program
For whom: Designed to increase the professional competence of investment adviser and broker-dealer professionals with legal, compliance, operations, technology and management responsibilities.
Suggested Skill Level: Basic
Instructional Method: Group Internet-Based
Prerequisites for participation: No prerequisites are required.
Advance Preparation: None.
Continuing Education Credits: TBD
NRS Continuing Education Guide