I recently got a mortgage and it was surprising how much information a total stranger was asking for—and I had to give them this information. I, of course, checked out the firm with various associations to ensure it was legitimate. But through this experience I realized how clients must feel about advisers having so much personal information on their family. Additionally, expectations that an adviser will keep that information secure is assumed to be perfect. With this level of expectation, documenting will go a long way to managing security. Much like other policies and procedures manuals and checklists, security should follow the same pattern. Unfortunately there is no one single format that works for all firms, but here are some items to consider when creating such a document.
- Risk analysis
- Staff member roles
- Physical security
- Electronic communication (email/Smart phones)
- Blogs and personal websites
- Facility design, construction and operations
- Media and documentation
- Data and software security
- Network security
- Internet and IT contingency planning
- Outsourced services
- Employee termination procedures (IDs, passwords, expense accounts, remote access, etc.)
- Incident reporting procedures
- Access control guidelines
- Security compliance checklists
It seems like a lot, but addressing each one of these items will help in building a manual that will grow over time. Additionally, sharing this level of information with clients about how you are keeping their information safe can differentiate your practice.
Ash Bhatnagar, CFP®
RIA Independence Co.