Call now for cybersecurity help: 888-646-1616
As a company who works with investment advisors on improving their cybersecurity, the SEC books and records retention requirements subject may seem a little odd. But it is a topic that comes up frequently with current clients and prospects.
One area we like to focus on is cloud services security. Are your email accounts and data as buttoned up as possible? Under SEC rule 204-2, every investment advisor registered or required to register with the SEC needs to follow certain records retention rules. Are you properly archiving email messages? Are you retaining those messages for the right amount of time? These are things we help our clients and their IT firms figure out.
Rule 204-2 is long, and honestly a summary of the rule seems like a boring article idea. Instead, this article is going to focus on some common questions we get from financial advisors about the SEC Books and Records Retention Requirements.
The books and records rule consists of a large list of books and records that an investment advisor needs to keep true, accurate, and current. This list includes journals, ledgers, bills, originals of written communications, addresses, policies, etc. Here it is, in all its glory: https://www.ecfr.gov/current/title-17/chapter-II/part-275#275.204-2
Under Rule 204-2(a)(7), advisors are required to keep originals of all written communications received and sent by the advisor related to various activities. In addition, Rule 204-2(a)(11) requires advisors to keep copies of advertisements, newsletters, etc. Yes, you may have paper copies of certain written communications or advertisements in printed material, but for the most part, these sections of Rule 204-2 pertain to emails and digital advertising.
When deciding how to satisfy the SEC books and records retention requirements, make sure you are capturing all forms of electronic communications. Think beyond email – are you using Telegram, Slack, WhatsApp, Teams, text messages for business-related communication? These sorts of messages need to be properly archived.
Another important aspect of protecting electronic communications is making sure the archives are secure and that you are maximizing the available security measures. These top-notch security settings aren’t always turned on by default. You also need to consider archive access control.
Here are some common questions we receive regarding the SEC’s books and records requirements and cloud email services:
Microsoft 365 has records retention features that can help you to keep the appropriate documents for the appropriate time frame. Learn more here: https://docs.microsoft.com/en-us/compliance/regulatory/offering-sec-17a-4
Certain subscription levels have a records retention and email archiving module. That's part of what we configure for clients with our Virtual CISO program. There are a number of SEC requirements that can be met by being on the right M365 plan and configuring some of the security features. It won't meet 100% of the SEC's requirements, but it's a great place to start.
Absolutely. Certain Google Workspace subscriptions (Business Plus or higher) include Google Vault, their data retention and eDiscovery tool. We have a number of financial advisor clients currently using Google Workspace or are moving to Google Workspace.
This will depend on your specific organization. Some of our larger financial advisor firms use Smarsh because it has more robust features like archiving data from their email and other communication channels, but Microsoft Exchange Online archiving is more cost effective for smaller organizations. The answer will depend on the size of your organization and how you communicate with current and prospective clients.
You’re not alone.
The SEC’s guidance is not always one-size-fits-all – and it’s important to have expert guidance along the way. That’s where a Virtual CISO comes in – a specialist without the cost of another full time employee.
Financial advisor firms across the US utilize our hands-on Virtual CISO service, which includes an assessment and various cybersecurity tools and monitoring systems.
