Data Protection Checklist

Map where nonpublic personal information lives — Salesforce/Wealthbox/Redtail records, eMoney or RightCapital plan files, custodian downloads, advisor mailboxes, document vault, and any spreadsheet caches on advisor laptops. GLBA and Reg S-P apply to NPI wherever it sits, including off-channel locations the firm hasn't sanctioned.

Tag records as Public, Internal, Confidential, or Restricted (NPI/PII). SSN, account numbers, balances, and beneficiary data are Restricted by default. Plan inputs, meeting notes, and risk profiles are typically Confidential.

Confirm CSAs, paraplanners, and interns only see clients on their assigned book. A common gotcha: legacy Salesforce sharing rules grant blanket read access to all contacts after a CRM migration.

TLS on every external integration, full-disk encryption on advisor laptops (BitLocker/FileVault verified by MDM), and encrypted document portal (ShareFile, NetDocuments, Citrix) for any client send. Plain email of statements is the most cited Reg S-P deficiency at small RIAs.

Update the written information security program (WISP) for any new tools or workflows added during the year. Re-circulate to all reps and staff with attestation captured in the LMS.

Verify MFA is enforced (not just available) on Schwab Advisor Center, Fidelity Wealthscape, the CRM, M365/Google Workspace, the document vault, and any VPN. SMS-only MFA is no longer acceptable for privileged accounts — move to authenticator app or hardware key.

For any system without enforced MFA, open a remediation ticket with a closure date inside 30 days. Time-limited compensating controls (IP allowlist, conditional access) need explicit CCO sign-off.

Walk Salesforce/Wealthbox/Redtail role hierarchy and sharing rules. Confirm temp staff, departed advisors, and former interns no longer hold profiles. Spot-check three random reps to verify their visibility matches their book.

Pull 90 days of login telemetry from M365, the CRM, and the custodian portals. Flag impossible-travel logins, after-hours access to client records, and bulk export events. Document the review even if nothing is found.

Pull HR's termination list for the period. For every separated advisor, confirm same-day deprovisioning of email, CRM, custodian access, and VPN, plus Form U5 filed within the FINRA 30-day window.

Verify nightly backups for CRM exports, the document vault, planning software files, email archive, and any on-prem file servers. Confirm immutable / WORM retention for the email archive (Smarsh, Global Relay, or equivalent) per books-and-records rule 17a-4.

Backups must live in a separate geographic region or off-site facility. A single-region cloud backup is not a DR strategy — ransomware encrypts both prod and the in-region backup if credentials are shared.

Pick a sample CRM export and a sample document folder; restore to a sandbox; confirm content matches expected. Untested backups are a finding waiting to happen at the next SEC sweep exam.

If the restore test failed or surfaced gaps, log a remediation ticket with named owner, target date inside 30 days, and CCO visibility. Re-test after fix; do not close until a clean restore is demonstrated.

FINRA Rule 4370 requires an annual BCP review. Update emergency contacts, alternate site, custodian failover procedures, and the customer disclosure summary on the firm's website.

Validate CCO, COO, IT lead, outside counsel, cyber-insurance broker, and forensic vendor (Mandiant, Kroll, etc.) numbers. Saturday-night phone numbers, not just office lines.

Reflect the 2024 Reg S-P amendments — covered institutions must notify affected individuals as soon as practicable and no later than 30 days after determining an unauthorized access or use of customer information has occurred. Plan should map the determination clock, not just the discovery clock.

Walk one realistic scenario — phished advisor credentials with custodian access, ransomware on a file server, or a wire-fraud impersonation. Capture decision points, time-to-contain, and notification timing in the after-action.

Review the firm's incident log for the review period, including near-misses (phishing clicks that didn't progress, ATO attempts blocked by MFA). Confirm each entry has root cause, containment action, and closeout date.

For any reportable incident, draft the customer notice with outside counsel, file with state AGs where required, and document the determination date driving the 30-day clock. Capture send dates and bounce-back handling for any returned mail.

Pull updates from ACA, NRS, IAA, and state regulator bulletins covering CCPA/CPRA, NY SHIELD, MA 201 CMR 17, and the ten-plus newer state privacy regimes. Flag anything that changed scope, notification timing, or required policy language.

Run the mock exam internally or through outside compliance counsel. Cover ITPP (Identity Theft Red Flags), WISP, vendor due diligence files, and the annual Rule 206(4)-7 compliance review documentation.

Pull current SOC 2 Type II reports for every vendor that touches NPI — custodian, CRM, planning tools, archiving, e-signature. Flag expired reports and any qualified opinions for follow-up.

Document the lawful basis, retention period, and recipients for each processing activity. State privacy laws (CPRA, CTDPA) increasingly request this artifact; CCPA-style consumer requests get answered faster when the inventory is current.

CCO captures sign-off on the year's data protection review, including any open remediation items with target dates. Counsel attests on notification posture and any state-specific gaps. File in the Rule 206(4)-7 review folder.