A Priority Practice: Protecting Confidentiality

Greg Wilson, Head of Information Security
October 5, 2018

Financial services firms are expected to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats to the security or integrity of such records and to protect against unauthorized access to such records or information that could result in harm to any customer.

This includes the firm’s dealings with outside resources, such as cleaning services, document shredding, IT consulting, janitorial services, etc. Many offices also subscribe to vending services (soda, coffee, snack machines) and “green” services, such as interior plant and tree watering, maintenance and replacement. Based on their access to the branch locations, these vendors may have opportunistic access or visibility to customer records, either electronically (for IT consultants) or physically (such as cleaning services).

Examine the business services delivered by third-party service providers to your firm, determine if any of those services grant the third-party vendor and/or its employees access to original books and records related to securities or money and make sure there are both physical and contractual protections in place to help protect client records and information.

All branches should have physical protections in place for client documents. For example, documents with personally identifiable or personal information about clients should be shredded and not simply placed in the trash. Offices should consider a “clean desk” policy as a best practice whereby employees are instructed to put any client documents in locked cabinets.

In most cases, the individual(s) providing your office’s technology support will have access to laptops, mobile devices, non-company devices and network connections. This can include having extensive knowledge of your system’s passwords, monitoring requirements, anti-virus software, local storage, encryption and incident management. If possible, a firewall should be in place that prevents IT providers from having access to financial services files if such access is not necessary to perform the IT work.

Your firm may have directly contracted with the aforementioned types of service providers, or those providers may be offered as part of the services associated with the management of the building in which you are leasing office space. When hiring a third party (e.g., cleaning services, IT services, janitorial, etc.) to help facilitate any part of your financial services business, a best practice is to first inquire about its hiring process (e.g., performing background checks) and ensure that all required security protocols are in the contract. Property management should be conducting criminal background checks on janitorial contractors or employees. As a best practice, you should look to hire vendors who have been bonded. 

Each member of a firm is responsible for ensuring that his or her firm’s agreements with third-party service providers are structured to protect against internal and external security threats. This includes conducting sufficient due diligence on the third-party firms and their security measures and policies. FINRA has indicated that vendors will often try to indicate that their firms have “taken care of” any issues you should be concerned about by making statements similar to the following:

  • “Don’t worry — our security protections are adequate.”
  • “We will provide you the same protection we provide for our own information.”
  • “We are regulated, and those regulations protect you.”
  • “You cannot review our internal procedures based on confidentiality and security concerns.”

Additionally, you need to review the confidentiality provisions in the service agreements with outside vendors. 

What Do Investors Really Want?

Learn surprising insights about the current state of professional financial advice with an exclusive report.