Data Privacy Best Practices for Investment Firms

Jan 27, 2022

By Matt Hilsenrad, Director of Cybersecurity at Abacus Group

Data privacy should be at the forefront of any financial services firm’s priority list. Keeping your data, client information, and, by association, funds, secure will keep your business operational. Follow government guidance from organizations like CISA, the SEC, and FCA.


Importance of Email Security and Technical Controls

Utilize secure email configurations whenever possible. This includes requiring encryption with an appliance like Proofpoint, particularly for financial entities. Additional Abacus best practice configurations include utilization of SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) for email communication.

Treat each email with skepticism, if you are not sure of the sender or if something looks off, do not trust the content. Do not be afraid to verify with known associates that an email is legitimate, particularly with fund transfers. Report the email and/or delete if the content of an email seems off.

Multi-factor authentication (MFA) is an important technical control and should be enforced wherever possible. MFA should not be limited to banks, financial institutions, or Abacus-managed accounts. Many companies, like Apple, Google, and Microsoft all offer MFA. Ensure that you are only approving MFA prompts when you are certain you requested the logon.

Data availability is tied to data privacy. Have a plan in place to recover data when an incident occurs. Use top tier vendors like Zerto or Veeam to protect your data in a ransomware scenario. Your BCP (Business Continuity Plan) and IRP (Incident Response Plan) should account for multiple situations where recovering your data is necessary.


Procedures, Policies and Controls

Have strong processes in place, especially when funds are exchanged. This includes verbally acknowledging large transfers, not trusting personal email accounts, ensuring that third parties are who they say they are, and sticking to the runbook/policy every time.

Use internal polices to encourage user engagement! If your employees see something phishy, they should speak up. Praise participation in cybersecurity education, attention to detail and diligence when completing forms. Make user training and phishing campaigns part of your defense-in-depth approach to cybersecurity and mandatory at least once per year.

Ensure that your vendors adhere to data privacy regulations like GDPR (General Data Protection Regulation), EU-U.S. & Swiss-U.S. Privacy Shield, and CCPA (California Consumer Protection Act). Abacus maintains a Privacy Policy and has been in a participant in Privacy Shield since 2018.


Learn more about how your firm can benefit from our comprehensive IT and cybersecurity services.

Contact Us