The Office of Compliance Inspections and Examinations of the Securities and Exchange Commission issued a Risk Alert, describing issues it detected during recent inspections at SEC-registered broker-dealers and investment advisers related to requirements regarding privacy notices to customers, as well as policies designed to safeguard customer records and information.

Among the most common deficiencies, said OCIE, were that registrants (1) did not provide initial or annual privacy notices or opt-out rights notices to customers; (2) did not have written policies and procedures designed to ensure the security and confidentiality of customer records and information to protect against their compromise; and (3) where policies and procedures existed, they were inadequate.

Under SEC Regulation S-P (click here to access), BDs, IAs and investment companies must provide a “clear and conspicuous” notice to customers describing their policies and practices by no later than when the customer relationship is initiated, and thereafter no less than annually. Such registrants must also provide a notice to each customer advising it of its right to opt out of some sharing of private customer personal information with nonaffiliated third parties. Impacted registrants must also maintain policies and procedures for customer records and information “reasonably designed” to ensure the material's security and confidentiality, protect against anticipated threats to such records’ and information’s integrity, and protect such records and information against unauthorized access that could cause material harm or inconvenience to any customer.

OCIE said that BD and IA policies and procedures did not always address (1) customer information stored on personal devices of registrants’ employees; (2) the transmission of emails containing customer personally identifiable information (PII) that might be unencrypted; (3) training and monitoring; (4) the sending of customer PII to locations outside of a registrant’s network; (5) the inventorying of all systems that contain PII; and (6) how a firm would address a cybersecurity incident. OCIE said that impacted registrants also did not always apply their policies and procedures in relationships with outside vendors. Sometimes customer PII was maintained in unsecured physical locations, customer log-in information was provided to more employees than authorized under the firm’s policies and procedures, and departed employees sometimes retained access to restricted customer information.

OCIE recommended that all registrants review their written policies and procedures to ensure their compliance with Regulation S-P.

In August 2017, OCIE issued a report saying that registrants “increased cybersecurity preparedness” since 2014 after reviewing 75 registrants, including BDs, IAs and investment companies. However, OCIE also concluded that firms’ cybersecurity policies and procedures were not uniformly tailored to their business because they were too vague or general and were not always followed or enforced. In some cases, policies and procedures did not reflect actual practices. (For background, click here for the article “SEC Watchdog Finds Cybersecurity Policies Better But Not Always Enforced” in the August 13, 2017 edition of Bridging the Week.)

Separately, the Commodity Futures Trading Commission adopted a final rule that eliminated the requirement for certain registrants to provide an annual privacy notice to all customers provided they solely share nonpublic information with nonaffiliated persons in certain enumerated circumstances, and they have not changed their policies and practices regarding the disclosure of nonpublic PPI since their most recently required privacy notice was provided to customers. (Click here for additional information regarding the CFTC final rule when it was in its proposed form in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.) The CFTC’s amended rule will be effective 30 days after it is published in the Federal Register.

Compliance Weeds: The CFTC maintains an equivalent set of rules as Regulation S-P with virtually identical requirements (click here to access CFTC Part 160). These rules apply to futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers and major swap participants.

Additionally, both the SEC and CFTC require designated registrants to maintain an identity theft prevention program that aims to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution, and the nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.” (Click here to access the SEC’s Identity Theft Red Flags Rule (Regulation S-ID) and here for the CFTC’s equivalent set of rules (CFTC Part 162).)

Recently, the National Futures Association revised its 2016 requirement that members maintain a written Information Systems Security Program that addresses the risk of unauthorized access or attack on their information technology systems and how they would respond if attacked. The new amendments, effective April 1, 2019, modified requirements related to training, ISSP approval and notice to the NFA of cybersecurity incidents. (Click here for details in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)

The consequences of not complying with specific regulatory edicts regarding customer information protection and not responding to cyber-hacks in a manner deemed appropriate by a regulator can be costly, and additionally result in reputational harm. Both the SEC and CFTC, as well as the UK Financial Conduct Authority, have brought enforcement actions against and fined registrants for not, in their view, responding appropriately in response to a cybersecurity breach, under either a specific prohibition or a general failure to supervise. (Click here for background in the article “UK Bank Fined GB £16.4 Million Related to Cyber‑Attack Because of Employee Breakdowns” and related Compliance Weeds in the October 14, 2018 edition of Bridging the Week.)

Earlier this year, the Financial Industry Regulatory Authority released a report on effective cybersecurity practices it observed at member firms related to branch office controls, phishing, insider threats, penetration testing and mobile devices. (Click here for details in the article “FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks” in the January 6, 2019 edition of Bridging the Week.)

It’s always a good time for registrants to review the adequacy of their customer information protection and cybersecurity policies and procedures, and ensure programs mandated by such procedures are followed scrupulously. Training and testing should occur regularly.