You probably don’t need to be convinced that information security is critically important. But just in case you do, you should know that the U.S. Securities and Exchange Commission (SEC) continues to emphasize the importance it places on information security. In our last two posts, Marc and Craig began our discussion of the SEC’s Division of Examinations’ (EXAMS) 2021 priorities related to information security. In today’s post, we’ll continue that theme by looking at a 2021 EXAMS’ priority of particular relevance for robo-advisory firms: access rights and controls.
To start, let’s establish a baseline for specifically what the SEC is concerned with regarding access rights and controls. The 2021 EXAMS’ priorities states that “[EXAMS] will review whether firms have taken appropriate measures to…safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access.” In short, your firm must have controls in place to verify the identity of your clients and protect against unauthorized access of their accounts. As a robo-adviser, your firm’s connectivity to clients is entirely based on the client’s ability to access their account through your website or app. Given this dynamic, let’s review best practices that your firm should have in place.
- User Access – the first step to having proper controls in place is to ensure each user has appropriate access. As part of the client on-boarding process, your systems should clearly identify the client and only permit access to data and features of your systems necessary for the client to manage their account.
- Access Management – once a client has been integrated into your systems, the issue of access management becomes critical. You obviously want to prevent third-party access to your clients’ information, but you should also have controls in place to restrict unnecessary access by employees. General best practices for access management include (i) incorporating a separate approval process for clients who wish to add an additional user to their account; (ii) requiring clients to re-certify access rights on a periodic basis; (iii) mandating strong password requirements, including the requirement to periodically update; (iv) requiring multi-factor authentication to obtain account access; and (v) deleting systems access immediately for former employees.
- Access Monitoring – in order to properly manage access to your clients’ accounts, your control procedures should include the following monitoring polices: (i) tracking failed login attempts and revoking access after a predetermined number of failed attempts; (ii) properly authenticating clients when handling requests, such as for username or password information; and (iii) periodically reviewing the software and hardware components of your systems to ensure all aspects of your infrastructure is current, and when necessary, augmented with update and patches.
For more information on access rights and controls, and other information security observations, you should review EXAMS’ 2020 Guidance Release, and of course, reach out to your legal or compliance professional with any additional questions.
Thank you for your continued readership. Check back next time when Marc will be discussing how to limit liability for robo-advisory firm CCOs.