The Staff of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission released a Risk Alert on April 16, 2019, which identifies significant Regulation S‑P (Reg. S-P)1 compliance issues observed during recent OCIE Staff examinations of registered investment advisers and broker-dealers (collectively, firms). The Risk Alert reinforces the OCIE Staff’s continued focus on privacy and cybersecurity-related matters. This Dechert Newsflash describes deficiencies and weaknesses relating to firms’ privacy and safeguard policies as identified by the OCIE Staff, and provides key takeaways from the Risk Alert.

Issues Observed by OCIE Staff

The Risk Alert sets forth specific “compliance issues” the OCIE Staff observed regarding proper adoption and implementation of Reg. S-P policies and procedures. The Risk Alert states that the information provided “is intended to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.” The Risk Alert further provides “examples of the most common deficiencies or weaknesses identified by OCIE Staff in connection with the Safeguards Rule.” These include:

  • Provision of Adequate Privacy and Opt-Out Notices. The OCIE Staff identified instances where it found that firms did not provide customers with adequate privacy notices under Reg. S-P, because the notices did not: (i) accurately reflect the firms’ actual policies and procedures; or (ii) adequately disclose to the firms’ customers their rights related to the sharing of their personal information under Reg. S-P. 
  • Adoption of Proper Policies and Procedures. The OCIE Staff noted that not all firms had adequate written policies and procedures as required by the Safeguards Rule. Some firms simply restated the text of the rule without including policies and procedures for “administrative, technical, and physical safeguards,” while other firms had only “form of” policies that they failed to complete properly. 
  • Implementation of Policies and Procedures. The OCIE Staff found that not all firms had written policies and procedures that were actually implemented or reasonably designed to protect their customers’ personally identifiable information (PII). Examples of these deficiencies included:
    • Improperly addressing firm employees’ access to and use of customer PII, including: (i) the storage and maintenance of PII on employee personal devices; (ii) the inclusion of PII in unencrypted electronic communications; (iii) employees sending customer PII outside of firm networks; and (iv) the termination of former employees’ access to firm systems. The OCIE Staff also found that some firms did not provide adequate employee training regarding their policies or did not adequately monitor their employees for compliance with such policies.
    • Not following written policies on vendor management with regard to customer PII. 
    • Not maintaining an inventory of firm systems on which customer PII was maintained. 
    • Having written incident response plans that did not adequately address key areas such as “role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
    • Storing customer PII in locations without proper physical safeguards.

Key Takeaways

The Risk Alert emphasizes that firms should undertake the following with regard to their cybersecurity programs:

 

Tailor Policies and Procedures to Specific Practices and Business. Firms should confirm that their cybersecurity policies and internal procedures are tailored to the risks associated with their businesses and their actual practices, and that their Reg. S-P privacy notices to customers reflect such actual practices. As the Risk Alert illustrates, the OCIE Staff views “form of” policies skeptically, and may find that such policies do not provide meaningful guidance or direction for compliance with Reg. S-P unless they are sufficiently tailored to the firm’s actual practices.

 

 

Review and Update Policies and Procedures to Confirm they are Reasonably Designed to Achieve Compliance. Firms should conduct periodic assessments to make certain their policies and procedures are reasonably designed to achieve compliance, and are implemented and enforced, including with regard to oversight of any third-party service providers or vendors.

 

 

Conduct Regular Employee Training and Monitoring. The Risk Alert emphasizes the role of employees as the first line of defense when it comes to cybersecurity incidents. The Risk Alert demonstrates the OCIE Staff’s views that inadequately training employees can lead to breakdowns in the implementation of policies, and that monitoring is essential to verifying that policies are being followed.

 

Conclusion

Firms should expect that the OCIE Staff will continue to focus on cybersecurity programs during examinations. The Risk Alert reminds firms of the importance of regularly reviewing their privacy and cybersecurity policies and procedures to confirm that the firm has a tailored program in place that is consistent with relevant regulatory requirements and the firm’s actual practices, and that works effectively to safeguard customer information and combat cybersecurity threats. The OCIE Staff did not disclose the number of firms found to have had problematic privacy practices, but its issuance of the Risk Alert signals that the OCIE Staff believes that at least some firms need to do more to achieve compliance with Reg. S-P.