This Policy applies to all Supervised Persons of DFA and any digital storage device or medium that is under the control or ownership of DFA or otherwise authorized to, or is intended to, store personal information about a client of DFA.
DFA has assigned the Advisor’s Chief Compliance Officer (“CCO”) as the individual with primary responsibility for implementing and revising this Policy (“Responsible Person”). The Responsible Person may delegate all or a portion of these responsibilities to a delegate of their choice, so long as that delegate is an employee of the Advisor or a third-party entity that is reasonably capable of implementing this Policy.
The following definitions are used within the regulation and are provided here for clarification:
Breach of security: the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a person. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
Cybersecurity: the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.
Electronic: relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
Encrypted: the transformation of data into a form in which meaning of the original data cannot be observed without the use of a confidential process or key to reverse the transformation.
Identity Theft: When a person assumes the identity of another in order to generate fraudulent transactions or other harmful conduct that impacts the assumed person to the benefit of the person initiating the transaction or conduct.
Owns or licenses: receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
Person: a natural person, corporation, association, partnership or other legal entity.
Personal information: a client’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such client: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a client’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Record(s): any material upon which written, drawn, spoken, visual, or electromagnetic
information or images are recorded or preserved, regardless of physical form or characteristics.
Service provider: any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.
Suspicious Activity: activity that is indicative of fraudulent or illegal activity, or involves transactions that are not typical with a particular client, such as sudden requests to withdraw large sums.
A source of potential Cybersecurity vulnerabilities is from the conduct of Supervised Persons of DFA. Whether intentional or accidental, Personal Information about the client may be revealed or sent to someone outside the firm in a manner that exposes it to unreasonable Cybersecurity threats and potentially discloses the information to the public. Internal Cybersecurity sources may include but are not limited to:
Cybersecurity vulnerabilities can also arise from external sources, such as messages received by Supervised Persons or Persons unrelated to the Advisor seeking to gain access to the Advisor’s sensitive data for further attacks or violations. It is critical for any knowledge of external Cybersecurity vulnerabilities, or perceived breaches of the Advisor’s network or information security controls to be escalated to the Responsible Person. External Cybersecurity sources may include but are not limited to:
The Advisor has implemented the following controls to address the sources of Cybersecurity vulnerabilities as described in section 3 above. These controls seek to reasonably minimize any harm to the Advisor, its Supervised Persons and its clients, in response to a Cybersecurity threat or attack.
The response to a Cybersecurity attack will be reasonably related to the nature of the attack. Should a Supervised Person suspect their computer, device, or network has been subjected to a Breach of Security, they will promptly notify the Responsible Person and provide any requested details to determine the nature of the Breach of Security and the extent of the Cybersecurity attack. The Responsible Person will document all related information, the results of analyzing such information, and any response to address the suspected or actual Breach of Security.
Appropriate responses may include, but are not limited to, monitoring client account(s), contacting the client, changing security settings, changing the Advisor’s policies and procedures, closing the account(s), and/or notifying custodian(s) and law enforcement.
DFA shall review this Policy and test its effectiveness at least annually. The Responsible Person shall document the findings of the testing in a report to be kept with the Advisor’s books and records.
Annually, DFA shall also request or review available information from its Service Providers that store or handle client Personal Information to ensure they maintain a reasonably adequate Cybersecurity policy to support the activities of DFA. Any deficiencies will be addressed with the Service Provider and documented in a report to be kept with the Advisor’s books and records and/or the annual CCO report of the effectiveness of the Compliance Program.
DFA may make periodic updates to this Policy to account for changes in business practices, regulations and best practices. If any material changes are made to the Policy, all DFA Supervised Persons shall receive a copy and be expected to certify their understanding of the plan.