Investment advisors are prime targets for bad actors, as they have access to a treasure trove of clients’ private information such as social security numbers, personal histories, and liquid assets. In response, the U.S. Securities and Exchange Commission (SEC) has worked to tighten up rules and regulations around data privacy and protection.
In May 2024, the SEC amended Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which applies to brokers, dealers, investment companies, registered investment advisors, funding portals, and registered transfer agents. The compliance deadline for larger companies was December 3, 2025, but smaller entities have until June 3, 2026 to comply. In essence, the amended rule provides more narrowly-focused guidelines for how companies should protect clients’ private data, such as a 30-day notification rule regarding any data breaches, mandatory written safeguard rules, enhanced service provider oversight requirements for third parties, and more.
Below are some best practices that advisors can take to ensure client data remains private and protected.
Maintain Secure Communication Protocols
Never send Personally Identifiable Information (PII) via standard email. Always use a dedicated client portal or encrypted file-sharing service for document exchange and even standard messaging when PII is part of the conversation.
Mandate a verbal callback protocol for any request to move money or change sensitive account details.
Clean Desk, Clean Screen
Never leave PII on physical or digital desktops. Shred old drafts of documents immediately and lock filing cabinets when not in use. Computer screens should automatically lock (not just go to sleep) after two minutes of inactivity. Along the same lines, never talk about client details, including names, in public areas like elevators, coffee shops, even on airplanes.
Verify, Then Trust
Multi-Factor Authentication (MFA) should be the standard everywhere, from email to any application used in the firm.
Keep employees on a “need to know” access basis, based on their specific role.
Use AI with Caution
Every firm should have an Artificial Intelligence (AI) policy. If your team is using ChatGPT or similar tools to draft client emails or summarize meetings, ensure they are omitting any PII, names, dollar amounts, etc. before submitting any prompts.
Educate Your Clients
Smart data protection also extends to your clients’ usage of their own data. Explain the best ways they can safeguard their PII, such as using a secure password manager. If your firm sends verification codes via text, make sure clients understand how to spot a phony notification.
Explain your incident response protocols, and that the firm has a written plan to notify them within 30 days of any data breach.
Vet Tech Vendors Stringently
Perform a regular review of the System and Organization Controls (SOC) 2 Type II reports of all of the firm’s software providers and partners. Developed by the American Institute of Certified Public Accountants (AICPA), this independent auditor report verifies that the provider has taken the proper precautions to safeguard customer data handled by the application.
Bottom Line: Strong Data Protection is Ultimately a Competitive Advantage
Firms that prioritize data privacy are extremely attractive to higher-net worth clients looking to minimize their risk potential. Data breaches and compliance issues can foster client distrust, and ultimately send them shopping for a new advisor.
Partner Kimberley Cronin is an accomplished attorney and a member of the firm’s Corporate Practice Group, providing expert legal counsel and representation to established companies, start-ups, and individuals nationwide. For more than two decades, she has delivered cutting-edge, tailored legal advice to financial advisors, registered investment advisory firms, and broker-dealers operating in the financial services industry, and can help solve the most complex legal issues.
Messner Reeves LLP’s Banking and Financial Services attorneys are seasoned, experienced and ready to take on the toughest legal challenges that financial companies face. They’re well-versed in state and federal regulatory matters, industry-specific compliance issues, litigation concerns, and more. Contact us today.
