30
Sep
2015

SEC Fines Investment Advisor under the Safeguards Rule

By Ben Mazza, COO of InvestorFlow
R.T. Jones Failed to Adopt Written Policies and Procedures Reasonably Designed to Safeguard Customer Information
Last week the National Law Review posted an article that all investment advisors should read. It is titled, SEC Says No More Mr. Nice Guy on Investment Adviser Cybersecurity. InvestorFlow received the rights to reuse the article, which can be read here.

The article references the SEC's write-up on the matter with R.T. Jones. Within that SEC document is something that was not touched upon much by the National Law Review, and I'd like to share some thoughts on it here. It relates to the protection of data at a third party.

A while back I spoke with a SANS Institute speaker about a similar R.T. Jones situation. If you're not familiar with the SANS Institute, this organization specializes in information security and cybersecurity training. He provided advice related to people, processes and technology (I later hired him since he was one of the sharpest minds on this topic). He had a way with words, simplifying the topic for business people. One of his suggestions was to ask the third party for written controls for storing and protecting their data. Controls that are verified by a third party. Yes, a third party verifying the third party. Simple advice that we take seriously at InvestorFlow.

We too have a third party who manages our infrastructure, security and hardware. They're called Rackspace, a world leader in managed hosting. They are audited by Ernst & Young LLP and others, who provide an annual audit statement known as a SOC 2 Type 2 report. Such a report can be included in a fund manager's compliance manual. As the American Institute of CPAs (AICPA) states, these "reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. More about these reports can be found here on the AICPA's site.

These reports tend to be hefty, with the Rackspace document approaching 90 pages, but they provide the level of audit needed by fund managers today.


Back to Blog

Share this

Get More Done Each Day

Request a Demo