Cybersecurity, Privacy, and Data Protection

With fiduciary duties and conflict rules in place, protecting client information is the next critical obligation. An adviser can follow every trading rule perfectly and still face enforcement action if client data is mishandled.

Regulation S-P (Privacy of Consumer Financial Information)

Regulation S-P implements the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) for SEC-registered financial institutions.

Think of it this way: Regulation S-P is the "privacy notice" rule. Whenever a firm collects personal financial data from a client, S-P dictates what the firm must tell the client and what choices the client gets about how that data is shared.

Core requirements:

  • Written privacy policies: Must adopt and maintain written privacy policies and procedures
  • Initial privacy notice: Provide to customers at the start of the relationship
  • Annual privacy notice: Provide to customers annually
  • Opt-out right: Allow customers to opt out of sharing nonpublic personal information (NPI) with non-affiliated third parties

Exceptions to opt-out requirement: Firms may share information without providing an opt-out when:

  • Sharing with service providers under a joint marketing arrangement
  • Maintaining and servicing customer accounts
  • Protecting against fraud
  • Complying with legal and regulatory requirements

Exam Tip: Gotchas

  • Regulation S-P requires BOTH initial AND annual privacy notices. Missing either one is a violation.
  • Customers can opt out of sharing with non-affiliated third parties, but there are exceptions (fraud prevention, account servicing, joint marketing). The opt-out right is not absolute.

Safeguards Rule

The Safeguards Rule (part of Regulation S-P) requires brokers, dealers, investment companies, and registered investment advisers to:

  • Adopt written policies and procedures to protect customer records and information
  • Address administrative, technical, and physical safeguards
  • Protect against unauthorized access to or use of customer information

Exam Tip: Gotchas

  • The Safeguards Rule requires WRITTEN policies. Verbal policies are not sufficient. If an exam question describes an adviser with "informal" or "verbal" safeguards, that is a violation.

Cybersecurity Program Elements

Investment advisers and broker-dealers should maintain cybersecurity programs that address:

  • Risk assessment: Identify and evaluate cyber threats
  • Access controls: Limit who can access sensitive data
  • Data encryption: Protect data in transit and at rest
  • Incident response plans: Procedures for responding to breaches
  • Employee training: Regular cybersecurity awareness education
  • Vendor management: Ensure third-party service providers also protect client data

Data Breach Notification

  • State-level requirements vary; data breach notification laws differ by state
  • Generally require prompt notification to affected individuals
  • May require notification to state regulators
  • NASAA guidance emphasizes that investment advisers should have clear procedures for breach detection and response

Exam Tip: Gotchas

  • Data breach notification requirements vary by state. There is no single federal standard covering all financial institutions. An adviser operating in multiple states must comply with each state's specific notification rules.