VBC Securities, LLC Data Security Policy Statement
VBC Securities, LLC (VBC) is an Introducing Broker Dealer to Hilltop Securities, Inc. (HTS) and adheres to Certified Financial Planner (CFP) Board of Standards Code of Ethics that requires us to act prudently and solely in the interests of, and for the exclusive benefit of, our brokerage customers. As part of that obligation, VBC has created this Data Security Policy Statement as a resource that it may use with the intent to establish a prudent process as it relates to data security and our customers.
Martha B Pierce, Chief Compliance Officer, and Justin A Tallaksen, Financial Operations Principal: These individuals oversee the data security risk management strategy for VBC and our customers. These persons are responsible for designing, documenting, implementing, and maintaining the strategy. These persons also review the strategy on an ongoing basis to protect against emerging risks. These persons have the background and experience to be able to perform the required tasks and receive periodic training on the latest threats and data protection tools and resources.
What data is protected? Customer data can contain confidential and sensitive information. This includes both financial and personally identifiable information (PII). For example, this may include social security numbers, driver’s license numbers or other similar identifying numbers, dates of birth, email and physical addresses, personal bank account information, individual asset balance information, information used in security questions, etc.
Where is the data stored? VBC keeps physical copies of customer account application and identification documentation in customers’ files in locked file cabinets in a locked document room at VBC’s Office of Supervisory Jurisdiction (OSJ). All customer account application and identification documentation is submitted to HTS, VBC’s clearing firm. These are housed electronically on HTS systems and the electronically feed by HTS to Redtail, VBC’s CRM provider. SOC 2s of the third-party providers are reviewed annually.
Who is accessing the data? To service VBC customers, data is typically shared across multiple parties and systems. All VBC supervising principals have access to all customer documentation. Any associated person, a.k.a registered representative, who is not a supervising principal has access only to accounts assigned to them. Since VBC is an introducing broker to HTS, HTS authorized personnel also has access to VBC customer information. HTS’ SOC 1 is reviewed annually.
What data is accessed? The Managing Member, Chief Compliance Officer, Financial Operations Principal, MSRB Principal, and Options Principal have full access to VBC books and records. Any other Principal and associated persons only have access on a business need-to-know basis allowing them to customer accounts information necessary to perform their required jobs.
How is data accessed and controlled? Customers’ physical account documentation is accessed by request from the Chief Compliance Officer or the Financial Operations Principal. VBC books and records are housed on VBC’s private server that can be accessed by the Managing Member, Chief Compliance Officer, Financial Operations Principal, MSRB Principal, and Options Principal. The data is accessed by those persons while in the OSJ or via secure VPN on a VBC supplied computer when working remotely. Access to customer information housed at HTS, Redtail and Global Relay email is via secure password protected links. Access to these third-party platforms is granted via application authorized or withdrawn by the Managing Member.
What data needs to be retained? VBC retains data according to FINRA retention guidelines.
What are the threats to the data? VBC believes threats to customer data are minimal as is threats to VBC’s corporate books and records. VBC receives emails covering the following subjects from us-cert.gov/ncas: Cybersecurity Awareness; National Cyber Awareness System Alerts; National Cyber Awareness System Bulletins; National Cyber Awareness System Tips; National Cyber Awareness System Current Activity; National Cyber Awareness System Analysis Reports; Election Security; CISA System Matter Experts; General Cyber Training; Incident Response; Continuous Diagnostics and Mitigation; and Reducing the Significant Risk of Known Exploited Vulnerabilities.
Associated Persons Training. Training is provided via VBC’s Annual and Semi-annual required compliance meetings and as needed to educate and encourage all associated persons to help protect the data of VBC customers.
Cyber insurance. VBC’s Securities Dealer Fidelity Bond covers computer systems fraud, voice-initiated transfer, telefacsimile, virus and hacker coverage in addition to coverage for dishonesty of employees and Independent Registered Representatives.
Respond and Recover. VBC will respond and recover once a breach occurs by notifying VBC’s responsible parties; deter what information was breached; what efforts will need to take place depending upon the data breach; who and how will notify impacted parties; how will the impacted party be made whole, if needed; determine if any third-party providers have data security-related guarantees and what actions are required to be taken by to make sure the guarantee is available in the event of a breach.