Compliant Document Storage for RIAs: What You Need to Know

5 min read
July 29, 2015

Compliant cloud document storage, or storage of data in general, is a hot topic right now. There's not a lot of guidance being provided by the SEC or state regulators in regards to actual, concrete rules around what advisors need to do in order to ensure their documents are stored in a compliant manner.

The best that we have right now? FINRA has released some rules around the idea that they prefer documents be stored behind a 256-bit encryption format. But this was created by FINRA, and it's not a hard and fast rule -- so it doesn't necessarily apply to SEC- or state-registered firms, and at this point it's unclear how it might apply.

There are a few things you can be doing to ensure that, as a financial advisor, you're being smart with your data. We want to be compliant and we also want to be sure we're not hacked and client-sensitive data is being stolen out of our systems. You never want to be the one to make a phone call to a client to tell them their identity was stolen thanks to a hack at your office.

Looking for a roadmap to start your own independent RIA? Check out our  comprehensive guide to starting your firm!

Creating a Secure System for Your Compliant Document Storage

There are three layers of security that we need to consider. The first is how documents are actually stored on your computer and other devices. This also applies to servers, but most tech-savvy financial advisors use the cloud for storage. We discuss why cloud storage makes more sense in our free ebook, The Virtual Advisor.

The second layer is the transmission of data, which refers to the process of moving information from local storage to the cloud or moving files back and forth between you and your clients. The third is the actual cloud storage solution.

So how do you protect all these levels?

Secure Your Devices

The first step to take is to secure all your devices. Whenever you're logging into your computer systems, you always want to have a very secure password on your computer.

You want to be sure other people can't pick up your laptop and easily access information and documents on it -- which means making sure anytime your computer times out or goes into sleep mode, it requires a password when you return to actively using it (rather than just requiring a password when it's booted up from being shut down).

Use Encryption Software

Next, use encrption software on your computer so that if someone does hack the initial layer -- the documents actually being stored on your devices -- that they're not able to fully access your hard drive.

For PC users, you can check out BitLocker Drive Encryption to do this. If you use any devices running iOS, you can use OS X. Alternatively, Symantec offers a solution that works for both Windows and Apple operating systems.

Don't forget about mobile devices, too. Many of us link Google Drive, Dropbox, and of course our emails to our phones, so they need to be secured like your computer. Make sure you set up a PIN to protect your information -- but also note that this can be hacked through brute force.

To protect against this, you need the ability to remotely wipe data from your phone. For both Android and iOS, you can use Lookout. (If you're an Apple user, you can also set up Find My Phone.)

Secure the Transmission of Data

This is an area where many financial advisors can get into trouble. In order to secure transmission of data, you need to start by using a secure Internet connection. The Internet you use at your home or office is most likely just fine -- the issue usually comes when you're on a public, unsecured WiFi network.

Many folks will go and sit at the local coffee shop and upload documents to the cloud or handle email. It seems harmless, but the problem is that these networks are extremely easy to hack. Essentially, a middle schooler could hack the network and gain access to your data.

There are a lot of "spoofing" opportunities here, which means someone could set up a wireless network called, for example, "Starbucks3" and make it look legitimate. If you're not signing onto the real network Starbucks is providing for free and sign onto a fake network instead, a hacker can literally scrape any data you transmit over that wireless connection.

To secure the transmission of your data, you should avoid unsecured public networks. You can use a jetpack or mobile hotspot instead to avoid these issues. All of the major cellular carries offer these, and they turn 3G and 4G mobile data into a WiFi network that your computer can connect to. Many smartphones come with the capability to create mobile hotspots.

You can also get PrivateWiFi, which allows you to set up your own virtual private network (or VPN. You can then connect to the Internet remotely with a secure connection.

Another issue to be aware of when using your computer and connecting to the Internet: your choice in browser. Use a browser such as Google Chrome, which comes with a lot of built-in secure features to ensure the encrypted transmission of data.

And anytime you're sending sensitive information online, you want to check that the web address says "https." Http is the standard, and the extra s indicates the URL is secure.

Secure Your Documents Once They're in the Cloud

This is the area where many advisors -- and compliance experts -- are concerned, because there are different levels of encryption that each individual system uses. For example, Google Drive stores data with a 128-bit encryption, which is significantly better than the previous standard of 56-bit. However, it's not as secure as 256-bit, which is what FINRA has recommended as the new standard.

With this information, you have a couple of options. If you use Google Drive or Dropbox and prefer to continue using these programs, you can sign up for a separate program called Boxcryptor. It's very inexpensive -- $50 per year for a personal license, or $100 per year for business. (Individual advisors may be able to use the personal license; you only need the business license if you have staff members.)

Boxcryptor encrypts documents on your computer before you send them up to the cloud. The advantage here is that neither Dropbox nor Google Drive will be able to see anything about those documents you're storing in those cloud systems because of the encryption on them.

This is a way to ensure you can store all your documents using a cloud-based storage system. You can also share access on encrypted documents. You can set up folders where your clients can upload documents and they'll be automatically encrypted, too. It's very easy to use.

Another option is to simply move away from storage solutions like Drive or Dropbox and use a system like ComConnect File Sync. SpiderOak is another solution that offers built-in encryption.

Additional Recommendations for Working with Sensitive Documents

Here are a few additional tips to try when setting up compliant document storage for your RIA:

  • Always use 2-step authentication

  • Use a password management system like LastPass or RoboForm

  • Set up very secure security questions, or randomize your answers just like you can randomize password characters and numbers

Compliant document storage is a topic that we'll continue to revisit and seek to understand in the future. With the pace at which technology grows, we -- as an industry -- will constantly need to find new solutions, better security, and ways to remain both compliant and proactive about keeping files safe.

If you have additional questions on this topic, the go-to expert in this area is Blane Warrene. You can visit his site at BlaneWarrene.com or connect with him on Twitter @blano.

Your firm, your terms. It can be done. Show me how.

Subscribe by email