Securities lawyer Daniel Bernstein says that while there really aren’t any specific compliance regulations about cybersecurity, advisors can seek guidance from closely-related rules that are already in place. Bernstein, director of research and development at the regulatory financial consulting firm MarketCounsel, says advisors should look to the SEC’s Regulation S-P, which is aimed at protecting consumer financial information by requiring notice of privacy policies and by preventing the disclosure of personal information to third parties.
Most states have also adopted their own data protection programs, and many of those regulations address cybercrime related issues. “Those regulations are in place regardless of whether you’re SEC or state-registered,” says Bernstein. “It’s for anyone who has a client in that state.” He recommends looking at Massachusetts’ law, which is known for its detail in outlining preventive measures.
It’s usually easier for larger firms, with large IT departments, or even their own security experts, to keep up to date with security issues, but it’s essential that advisories of all sizes do their due diligence. Bernstein says that he sees most non-compliance penalties around regulation S-P when an advisor or broker fails to keep client information secure. Often, the infraction results in a deficiency letter, which isn’t made public, he says, while fines occur more often when client data is actually stolen. The biggest problem occurs when the advisor should have known or could have stopped the theft of a client’s information or money. In addition to legal liability and damaged reputation, advisors are likely to face regulatory penalties. “If you should have known that your client information was at risk, and you didn’t do anything to stop it, they’ll find a rule to fit that into,” says Bernstein.