On April 16, 2019, the staff from the Office of Compliance Inspections and Examinations (the “OCIE”) of the US Securities and Exchange Commission (“SEC”) published a Risk Alert describing privacy and related customer information safeguarding issues it has identified in recent examinations of registered investment advisers and broker-dealers (“Registered Entities”).1 These issues continue to be an oversight concern of OCIE, more recently in connection with the safeguarding of client information from cybersecurity incidents and breaches. This Legal Update summarizes certain observations identified by OCIE related to those exams and provides certain key takeaways for Registered Entities.
Under the SEC’s Regulation S-P (“Reg S-P”), a Registered Entity is required to (i) provide an initial privacy notice describing its privacy policies and practices to customers at the time of onboarding, (ii) provide an annual privacy notice describing its current privacy policies and practices (to the extent not excluded from the requirement) and (iii) notify customers of their right to opt out of some disclosures of non-public personal information to nonaffiliated third parties (commonly referred to as an “opt-out” notice).2
Reg S-P also contains the Safeguards Rule, which requires Registered Entities to adopt “written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information” and to properly dispose of consumer report information. Under the Safeguards Rule, these written policies and procedures must be reasonably designed to:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.3
Issues Identified by OCIE from Recent Exams
In the Risk Alert, OCIE described the following three categories of common exam deficiencies related to Reg S-P.
- Privacy and Opt-Out Notices: OCIE identified that certain Registered Entities failed to provide the required initial or annual privacy notices as well as opt-out notices to customers. OCIE noted that even when Registered Entities did provide the required notices, it observed that in certain instances the notices did not accurately describe the Registered Entity’s privacy policies and practices and/or did not provide notice of the customer’s right to opt out of the Registered Entity’s sharing of certain customer information with nonaffiliated third parties.
- Lack of Reg S-P Policies and Procedures: OCIE also observed that some Registered Entities did not have written policies and procedures as required under the Safeguards Rule. In particular, OCIE noted certain examples of non-compliance that included a Registered Entity having (i) a document that stated the text of the Safeguards Rule but failed to tailor that document to the firm’s actual compliance activities, (ii) template versions of Reg S-P policies and procedures that had blank spaces for the firm’s terms and practices and (iii) a policy that addressed the privacy requirements of Reg S-P but did not address the Safeguards Rule.
- Deficient Policies and Procedures Related to the Safeguards Rule: In addition, OCIE observed that certain Registered Entities had written policies and procedures that did not appear to be implemented or reasonably designed to satisfy the three main elements of the Safeguards Rule. For example, OCIE noted that some policies and procedures did not address:
- Employees’ use of personal devices for business purposes (in particular, employees safeguarding customers’ personally identifiable information (“PII”) on their personal devices such as home laptops);
- Training employees on the firm’s safeguarding requirements and monitoring whether such requirements were being followed;
- The use of outside vendors (such as requiring outside vendors to comply with the firm’s safeguarding policies in connection with customer PII);
- Cataloging firm systems that maintain customer PII;
- Maintaining incident response plans that address cybersecurity threats and assess firm system vulnerabilities;
- The security of the storage of customer PII in physical locations (for example, in locked file cabinets);
- System access (including, but not limited to, the process for granting access rights to appropriate employees and procedures for revoking system access for departing employees); and
- Other considerations for electronic communications and networks (such as email encryption and securing networks that have customer PII).
Key Takeaways for Registered Entities
All Registered Entities should review their written policies and procedures, and implementation of those policies and procedures, to ensure that they comply with Reg S-P. Registered Entities should evaluate whether their customer safeguarding procedures—as well as any related procedures that may touch on privacy and customer PII, such as cybersecurity procedures—address or mitigate OCIE’s most recent observations as well as prior SEC staff guidance. Furthermore, Registered Entities should regularly monitor, evaluate and adjust their information safeguarding and incident response programs in light of any relevant changes in (i) technology, (ii) the sensitivity of customer information, (iii) internal or external threats to information and (iv) their own businesses arrangements (e.g., new mergers, joint ventures, and outsourcing arrangements and changes to information systems).
As noted previously, the SEC staff’s focus on privacy and information safeguarding issues (including Reg S-P compliance) in an ongoing matter. For example, last year the SEC’s Division of Enforcement brought its first settlement action against a dual-registered investment adviser/broker-dealer for violations of the Identity Theft Red Flags Rule (which addresses the Identity Theft Prevention Program requirements) and included in the action charges related to violations of Reg S-P.4 That action built on other high-profile settlement actions that the SEC brought against registered investment advisers in 2015 and 2016 for Reg S-P violations.5
In addition, OCIE has touched on privacy and safeguarding issues in other related topics, such as cybersecurity. For example, recent cybersecurity sweeps by OCIE on registered advisers include document requests focused on OCIE’s key cybersecurity topics that are similar or closely related to the above exam observations, including access rights and controls, training, incident response, vendor management and governance and risk management.6 Last December, OCIE also released a Risk Alert relating to electronic messages, which included OCIE observations from recent exams covering employee use of personal devices for business purposes and whether registered advisers have adequate policies and procedures in place to train and monitor staff regarding the use of electronic messaging and compliance with applicable laws (such as, but not limited to, Reg S-P).7
Lastly, the Financial Industry Regulatory Authority (“FINRA”), the self-regulatory organization for registered broker-dealers, also has been active in enforcing Reg S-P by making it an item of focus for its 2019 examination priorities and publishing a report of effective practices it has seen broker-dealers use to implement information security controls.8 Dual-registered firms and broker-dealers should also review the applicable FINRA guidance and regulation when evaluating whether their customer information safeguarding and cybersecurity policies and procedures address both applicable SEC and FINRA requirements.