RIA Compliance Requirements FAQ: Your Guide to IT Compliance
Technology has crept into more of daily life, your work, and RIA compliance requirements. It’s creating new regulations and questions for Chief Compliance Officers and leadership teams.
In discussions with clients and industry leaders, these are 18 of the top concerns they want to address.
RIA Compliance Requirements FAQs: 18 IT-Related Questions Answered in Plain English
1. How should we prepare our technology and IT systems for an exam?
Start with a risk assessment. Until you know what you don’t know it’s hard to do anything.
2. We let employees work from home. What should they do to keep our firm compliant?
Confirm and document that all employees who work from home follow all company policies and procedures.
Remote work does not exempt employees from complying with your firm’s policies
If you say everyone uses password-protected WiFi, employees must only use password-protected WiFi in and outside of the office.
3. Is the cloud compliant?
The answer varies by vendor. Do not adopt a blanket approach to cloud compliance. Evaluate every provider you work with and document your findings.
The top reason you want to outsource cloud vendor assessments
Cloud services providers with RIA industry experience are uniquely positioned to assess vendors on your behalf. They’ll ask vendors questions you aren’t thinking about and uncover hidden risks. With your partner you will make a more informed, less risky decision about your technology.
4. The SEC is releasing new rules related to technology and cybersecurity. How should I prepare my firm?
Changes we’re witnessing in technology and the bureaucratic environment will make this one of the most significant periods of regulatory activity.
It’s not about a single event, device, or innovation
Financial services firms must analyze draft regulations to identify which are likely to be enforced.
Let us monitor IT-related regulations for you
Unlike most managed IT service providers, we pay attention to draft regulations from the SEC. Our current RIA clients can attest to how we bring them updates on proposed changes that are likely to be adopted, and plan for how to adapt their IT policies and practices to stay compliant.
5. What can my RIA firm do to simplify IT-related compliance activities?
Do not laser focus on a system or app. The SEC is very focused on risk management. Let this be your guide.
Step back and scrutinize your IT environment and risk level
Get an assessment and put in place a risk management strategy.
6. Why do we need to continually monitor our IT environment and practices?
Nothing in your firm is static. The chances are low that a change you enact and document that is 100% compliant today will still be compliant in a few months. Consider this situation:
Today you set up multifactor authentication and document that all employees use it. In 2 months, 4 employees get new devices.
If you are continually monitoring IT your environment …
You’ll realize you need to set up multifactor authentication again for the new devices.
If you do not have a system in place …
An SEC audit is how you’ll discover the employees who got new devices and do not use MFA, subjecting you to fines.
Tip: The right IT partner manages and monitors technology for you, helping you keep IT systems compliant.
7. What cybersecurity best practices should our firm follow to satisfy RIA compliance requirements?
The best practice any RIA can follow is to outsource cybersecurity services to an expert.
Industry standards and regulatory requirements are riddled with complexities. You and your Chief Compliance Officer do not want to spend your time figuring out how to carry out and monitor advanced protections, like real-time vulnerability scanning.
8. How do we choose a cybersecurity partner who will help keep us compliant?
Find a single provider who unites 2 criteria:
- Advanced cybersecurity experience
- Proven knowledge of the financial services industry
Credentials exist for both
On the cybersecurity side, look for a firm that employs Certified Ethical Hackers. Then check if the company regularly works with RIA firms.
Managed service providers who specialize in helping firms satisfy IT-related RIA compliance requirements might have industry-specific accreditations like Investment Adviser Certified Compliance Professional® (IACCP®).
Further vet your finalists with questions around process and documentation like: Do you follow a process tailored to SEC requirements? How do you maintain cybersecurity documentation for your RIA clients?
9. How should we select and vet compliant technology vendors?
First, get assistance from an IT expert. They will ask the questions that do not occur to you because your main job focus is not IT management.
The expert does not make the decision for you
Rather, your technology professional will bring fresh perspective and insight to the process. They help you understand the answers provided by the vendor. You will know the risks you would be exposed to if you work with the vendor. The process leads to a fully informed decision-making process and minimizes your risk exposure.
10. We use Redtail and Microsoft and can’t audit them – what do we do?
You cannot ask major vendors like Redtail or Microsoft for changes, but that does not prevent you from conducting a vendor assessment.
How to audit major vendors like Redtail and Microsoft
Start with the documentation created by Redtail, Microsoft, or whatever other large software provider you use.
- Evaluate their policies (cybersecurity, partner responsibilities, etc.).
- Discuss observations internally.
- Assess the vendor’s practices.
- Document your observations, discussions, and assessments.
11. What steps should we take to ensure the continued compliance of third-party IT vendors we work with?
Continually assess your partners and document how you conduct reviews. Follow all best practices for documentation and assessments that you use for any policy or process.
If you do not want to do this on your own, seek out a partner like itSynergy who helps you manage IT compliance tasks.
12. How often should we conduct technology audits to assess our compliance and identify potential risks?
Annual reviews are the minimum, but reviewing technology throughout the year is a better approach.
Why you should audit your IT more than once a year
Waiting for your yearly review piles an overwhelming level of work onto your team.
To simplify the process, have your outsourced managed IT partner do it for you. Their sophisticated monitoring tools will continually scan your environment, create logs, and take the burden of identifying IT risk off your shoulders.
Bonus: Outsourcing enhances the cyber safety of your firm
The right outsourced partner will do more than help you maintain compliance. By regularly monitoring your environment, they protect your firm against malicious cyber activity and mitigate risk.
13. What should our written policies and procedures cover in terms of technology compliance?
- SEC signaled they want to see RIAs documentation for your:
- Incident Response Plans (IRPs)
- Business Continuity and Disaster Recovery plans
- Acceptable Use Policy
- Data location and classification
- Risk assessments
- Vendor risk assessments
That list is a starting point – Evaluate your non-IT policies too
As technology plays a larger role in your day-to-day operations, it becomes increasingly likely that your non-IT policies have technology components.
Evaluate all policies and operations to add in IT-related documentation as needed.
14. What information should we document and include in our technology records?
Produce an annual report for the SEC that lays out the process you went through to review and assess your cyber policies, risks assessments, and control reports. If a cybersecurity incident occurred, include a discussion about the event.
Additionally, you must update your data classification reports, acceptable use policy, and Business Continuity and Disaster Recovery plan at least once a year.
15. How many years of technology records should we maintain?
Draft regulation in 2022 from the SEC says they want 5 years of record keeping. This applies to the technology plans and documentation you keep. So, if you update your Incident Response Plan (IRP) every year, have 5 years of plan reviews and revisions you can show the SEC during an audit.
16. Do we need to train staff on IT compliance and cybersecurity best practices?
At time of draft regulation publication (2022) staff cybersecurity training is suggested but not required by the SEC.
You may still want to conduct employee cybersecurity training
It can protect your firm’s reputation.
17. How can we develop a robust Incident Response Plan (IRP) to address potential cybersecurity breaches or technology failures?
- Start with a template IRP from a trade association.
- Modify the template to fit your organization’s specific needs.
- Test your plan with a tabletop exercise.
- Document the results, including what worked and what didn’t.
- Review your IRP at least once a year.
- Keep records of your reviews and any changes you make.
For a more detailed guide, read Why Registered Investment Advisors Need an Incident Response Plan
18. What mistakes do RIAs make with their business continuity and disaster recovery plans?
Forgetting to test their business continuity and disaster recovery (BCDR) plan is the top mistake we see all companies, including RIA firms, make.
Do not stick your plan on a shelf, simulate a disaster now
When you test, you realize what works and what doesn’t in a low-stakes environment. You then make updates and have confidence your plan will work as desired if you need it.