Compliance Solutions for Investment Advisers

FAQs — Safeguarding Client Information


Are registered investment advisers required to enact safeguards for the protection of clients’ nonpublic personal information?

SEC-registered investment advisers are required to adopt policies and procedures that address administrative, technical, and physical safeguards to protect the nonpublic personal information of its clients. Taken together, these policies and procedures constitute an advisory firm’s written information security plan.

Do the same requirements apply to state-registered investment advisers?

State-registered investment advisers are subject to similar rules promulgated by the Federal Trade Commission.

What is nonpublic personal information?

Nonpublic personal information includes:

  • Information provided by an individual to a financial institution to obtain a financial product or service from such institution (e.g., information provided on an application);
  • Information about an individual resulting from any transaction with the financial institution (e.g., transaction history);
  • Information obtained about an individual in connection with providing a financial product or  service to such individual (e.g., information from a credit report);
  • A list, description or other grouping of individuals (and publicly available information pertaining to them) that is derived from nonpublic personal information (e.g., a list of individuals, names and street addresses derived using such individuals, account numbers);
  • The fact that an individual is or has been a customer of a financial institution; and
  • Any information collected through an internet cookie.

What is not considered nonpublic personal information?

Nonpublic personal information does not include:

  • A list of names and addresses of clients of an entity that is not a financial institution;
  • Information that does not identify the individual (e.g., aggregate information or blind data); or
  • Publicly available information, unless the information is part of a client list that is derived using nonpublic personal information.

What is the purpose of the information security plan?

The information security plan should be reasonably designed to: (i) insure the security and confidentiality of client records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of client records and information; and (iii) protect against unauthorized access to or use of client records or information that could result in substantial harm or inconvenience to any client.

Does an advisory firm need to designate an information security plan coordinator?

In order to ensure accountability and achieve adequate safeguards, an adviser should designate someone to be in charge of coordinating, implementing, maintaining and enforcing the information security plan.

What are the responsibilities of the plan coordinator?

The plan coordinator should identify and assess the reasonably foreseeable risks to the security, confidentiality and integrity of nonpublic personal information in each relevant area of the advisory firm’s operation. In addition, the plan coordinator should oversee the firm’s service providers by (i) selecting and retaining service providers that are capable of maintaining appropriate safeguards for the nonpublic personal information at issue; and (ii) requiring service providers by contract to implement and maintain such safeguards.

What types of management and training practices should the advisory firm implement?

Some common management and training practices in this area include:

  • Checking references prior to hiring supervised persons who will have access to nonpublic personal information;
  • Training supervised persons to take basic steps to maintain the security, confidentiality and integrity of nonpublic personal information;
  • Instructing and regularly reminding all supervised persons of the firm’s policy and the legal requirement to keep nonpublic personal information secure and confidential; and
  • Impose disciplinary measures for any breaches.

What are some of the “basic steps” a firm can take to maintain the security, confidentiality and integrity of nonpublic personal information?

While these will vary from adviser to adviser, basic steps may include all or some of the following:

  • Locking rooms and file cabinets where paper records are kept;
  • Using password-activated screensavers;
  • Using strong passwords (eight or more characters);
  • Changing passwords periodically, and not posting passwords near supervised persons’ computers;
  • Encrypting nonpublic personal information when it is transmitted electronically over networks or stored online;
  • Referring calls or other requests for nonpublic personal information to designated individuals who have had safeguards training; and
  • Recognizing any fraudulent attempt to obtain nonpublic personal information.

Are investment advisers required to implement certain procedures to protect their information systems?

Advisers should install reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date patches and virus definitions (or a version of such software that can still be supported with up-to-date patches and virus definitions and is set to receive the most current security updates on a regular basis).

How should an advisory firm account for telecommuting or the use of portable devices such as laptops, tablets and smart phones?

The amount of personal information that can be stored (and lost) on the many portable electronic devices available to employees – be they laptops, smart phones or the next new gadget – should be enough to keep chief compliance officers awake at night.  Any proper telecommuting policy must first begin with a determination of whether and how an employee that telecommutes should be allowed to keep, access and transport data comprising personal information.  Once these initial determinations have been made, advisers can develop appropriate policies and implement procedures to protect nonpublic personal information from ending up on the family computer with an unsecure wireless connection or on the laptop computer left in the back seat of a rental car.

What are an investment adviser’s responsibilities in the event of a data breach?

Investment advisers should immediately mitigate any further risk to client information (e.g., seal off the breach). Advisers should then identify the type of information breached (account numbers, social security numbers, names or passwords) and the client accounts involved. Advisers must also assess whether to alert the FBI or other appropriate law enforcement agencies of any data breach that my involve or create a substantial risk of criminal activity.

Are investment advisers required to notify clients?

Yes. An investment adviser should shall prepare a form of notification that addresses essential facts about the data breach, including, as applicable:

  • A general description of the incident, including the type of information breached;
  • The steps taken or to be taken by the advisory firm to mitigate risk of further data breaches; and
  • How clients may obtain further information.

Are there any other requirements in the event of a data breach?

Advisers MUST check the state regulations of each state in which an affective client resides. State law is very detailed as to what constitutes a data breach and client and law enforcement notification requirements. Even though an investment adviser is registered with the SEC, the advisory firm is still subject to all state laws.


Important Information

The information contained in this Frequently Asked Questions is only a summary and is not intended to be a comprehensive analysis of the rules and regulations applicable to registered investment advisers. It is not intended to constitute legal or compliance consulting advice or apply to any one investment adviser’s particular situation. For more information, please see our Terms of Use.