Last year, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P which, among other things, impose new data breach notification requirements on SEC-registered investment advisers (RIAs) and their service providers. No-one paid much attention to this last year, but because these amendments come into force for most RIAs next month, there has been a flurry of activity and concern amongst RIAs, their vendors, and the firms that advise the ecosystem.
One core requirement of the updated Reg S-P is that RIAs must ensure all their relevant service providers notify them of the details of any data breach within 72 hours of becoming aware of a breach. The problem with this is that the best SaaS providers, including Google, Microsoft, and Box, will not commit to notify within 72 hours of becoming aware. Microsoft is close, they commit to notify 72 hours after "declaring" a breach, but that could be days after they first become aware of the breach.
So Firms are left with the choice between knowingly not complying with the regulation, or migrating to niche providers with significantly higher risk of outage and breach.
Each client case is unique, and of course compliance counsel should be involved, but our general advice is to stay with the best in class collaboration platform providers like Google and Microsoft, and have your InfoSec governance body write a justification for this as being in the best interests of your LPs, despite it not following the letter of Reg S-P regarding notification.
The benefits of having a highly secure platform to protect Investor information outweigh the ability to tell Investors promptly that their data has been compromised.
Share this blog:
