Mandates Beyond the Advisers Act: Data Protection: Privacy, Identity Theft and Cybersecurity
In the past several years regulatory scrutiny of data protection has expanded from basic issues of privacy, to requirements for dealing with identity theft, to detailed assessments of firm-wide cybersecurity. Advisers and brokers are now facing the reality of continually reassessing their efforts to prevent, detect, and respond to a constantly-changing risk.
Investment advisers and broker-dealers cannot conduct business without gathering and maintaining customer information. Federal and state regulators are mandating strict controls and procedures to help ensure that this information is not compromised. Regulatory examination priorities continue to focus heightened attention on a firm’s information security or “safeguarding” controls for protecting customer information. Firms must also be aware of the increasingly strict state laws setting minimum criteria for information security and breach response.
The SEC, CFTC, and FINRA have adopted identity theft red flags rules applicable to regulated entities. Certain investment advisers may be subject to these rules depending on the type of authority assigned to them by their individual clients or private fund investors. Covered firms are required to adopt policies and procedures for detection of and response to identity theft.
Over the last several years both the SEC and FINRA have issued various alerts and notices to regulated entities. Both regulators have led and continue to apply initiatives related to cybersecurity practices at firms. FINRA released in December 2017 a report on examination findings related to Cybersecurity and in August of 2017 the SEC Office of Compliance Inspections and Examinations released Observations from Cybersecurity Examinations The widespread release of findings and observations clearly signals the regulatory desire to have all registered firms develop and implement thorough, well-documented cybersecurity programs.
This seminar is designed to help you understand what the regulators are expecting firms to do and provide tools to effectively design and implement an information security program. Expert instructors will discuss the core principles of privacy, identity theft and cybersecurity to increase preparedness and help firms map policies and procedures to their particular risk profile.
Topics to be discussed include:
- Privacy of Consumer Financial Information (Regulation S-P)
- Regulation S-ID: Identity Theft Red Flags
- Developing a cybersecurity risk assessment
- The importance of asset, information, and user inventories
- Written policies and procedures
- Employee training
- Due diligence of third-party vendors and special concerns when outsourcing IT
- What to do when a security breach occurs
- Insurance coverage
- Integrating cybersecurity into your annual review
- Resources for determining best practices
After completing this session, attendees should be able to:
- Identify Regulation S-P requirements concerning privacy notice delivery and create firm-wide policies and procedures concerning privacy practices
- Decipher the safeguarding requirements under Regulation S-P
- Outline strong internal controls to identify and assess the red flags of identity theft and data breaches, effective safeguards for controlling these risks, responses to information breaches and recommended steps for preventing them, and reasonable monitoring and testing of your safeguarding program
- Examine the efforts on the part of the states and regulators to impose broader and more specific requirements on firms that collect personal information
- Conduct an information security assessment to help identify and manage related data risks
- Assess the role of technology in both the problems and solutions related to the firm’s data protection
- Help your firm gauge its information breach preparedness and implement an appropriate response program
For Whom: Designed to increase the professional competence of investment adviser and broker-dealer professionals with legal, compliance, operations, technology and management responsibilities.
Suggested Skill Level: Basic
Instructional Method: Group Internet-Based
Pre-requisites for participation: No prerequisites are required.
Advance Preparation: None