Dear Compliance Professional,
The protection of a client’s non-public personal information is one of the most important tasks entrusted to an investment adviser. Unfortunately, it is also one of the most vexing issues confronting compliance professionals. Any time an adviser stores non-public personal information on a computer that is connected to the Internet, transmits such information via unencrypted email or archives it in the “cloud,” that information is at risk of improper disclosure.
For those advisers who allow employees to work remotely or who have employees that travel frequently as part of their job, the risk of illicit disclosure increases geometrically. It is easy to see why. Home computers (accessible to the entire family), portable computers (including laptops and tablets), smartphones, Ipads and other similar devices are just as capable of holding vast amounts of sensitive client information as is any office-based computer, yet often lack the same data security safeguards.
If you do have employees working remotely or conducting business from the road, I absolutely guarantee you that the SEC (and often state regulators as well) will want to hear about your data security procedures for the devices used by these employees. One thing that we suggest to our clients is to have these employees attest to the fact that any device that contains sensitive client information has the latest data security safeguards.
The attestation is as follows (but can and should be tweaked to fit your situation):
The undersigned supervised person of _____________________ (the “Company”) hereby acknowledges and agrees:
That they have installed on all personal computers (e.g., any computer, tablet, Smartphone, Ipad, or similar type of device not provided to them and maintained by the Company) used to transmit and store data pertaining the Company’s investment advisory business:
An Antivirus, Anti-Malware, and Spyware system(s) with a current subscription that automatically updates the installed software and virus detection libraries.
________________ _______________ __________
Name (Print) Signature Date
Lest you think this is overkill, last year a broker-dealer was fined $100,000 because certain employee computers did not have the latest anti-virus software. And by the way, that was $100,000 per computer.