On April 16, 2019, the Office of Compliance Inspections and Examinations ("OCIE") published a Risk Alert (the "Risk Alert") listing examples of the most common deficiencies and weaknesses identified by its staff in connection with Regulation S-P. The Risk Alert is intended to assist investment advisers and broker-dealers ("firms") registered with the Securities and Exchange Commission ("SEC") in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information. For purposes of Regulation S-P, "customer" includes an individual that has an advisory contract with an investment adviser (whether written or oral) or a brokerage account with a broker-dealer.
Regulation S-P requires a firm to provide to its customers a clear and conspicuous notice that accurately reflects its privacy policies and practices (1) generally no later than when it establishes a customer relationship ("Initial Privacy Notice"), and (2) at least annually during the continuation of the customer relationship ("Annual Privacy Notice," and together with the Initial Privacy Notice, "Privacy Notices"). Regulation S-P also requires a firm to deliver to its customers a clear and conspicuous notice that accurately explains the customer's right to opt out of having its non-public personal information disclosed to nonaffiliated third parties ("Opt-Out Notice"). Regulation S-P specifies the information that must be included in Privacy Notices and Opt-Out Notices, including the categories of nonpublic personal information that the firm collects and discloses. The SEC has adopted a model privacy form, the use of which provides a "safe harbor" for the required notices under Regulation S-P.
In addition, Regulation S-P requires firms to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Such policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to, or use of, customer records or information that could result in substantial harm or inconvenience to any customer.
The Risk Alert identifies deficiencies relating to (1) privacy and opt-out notices and (2) policies and procedures.
1. Privacy and Opt-Out Notices
OCIE staff observed firms that did not provide Privacy Notices and Opt-Out Notices to their customers. OCIE staff also observed firms that provided such notices without accurately reflecting their policies and procedures, or without notifying customers of their right to opt out of the firm sharing their nonpublic personal information with unaffiliated third parties.
2. Policies and Procedures
OCIE staff observed firms that did not have written policies and procedures as required under the Safeguards Rule, firms that had incomplete or deficient policies and procedures and firms that failed to follow their own policies and procedures. For example, OCIE staff observed:
- Firms with policies and procedures containing numerous blank spaces designed to be filled in by the firms;
- Firms with policies and procedures addressing the Privacy Notice requirement but not the Safeguards Rule requirement;
- Firms with policies and procedures that did not (i) appear reasonably designed to safeguard customer information on personal devices or to prevent employees from regularly sending unencrypted emails to customers containing personally identifiable information ("PII"), (ii) prohibit employees from sending customer PII to unsecure locations outside of the firms' networks, and (iii) identify all systems on which the firm maintained customer PII;
- Firms that did not provide adequate employee training on approved methods for the encryption, password-protection and transmission of customer information;
- Firms that failed to follow their own policies and procedures regarding requiring outside vendors to contractually agree to keep customer PII confidential;
- Firms with written incident response plans that failed to address important areas such as role assignments for implementation of the response plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities;
- Firms that stored customer PII in unsecure physical locations such as unlocked file cabinets in open offices;
- Firms that disseminated customer login credentials to more employees than permitted under their policies and procedures; and
- Firms that permitted former employees to retain access rights (including to restricted customer information) after departure.
In the past several years, the SEC has brought enforcement proceedings against firms for failure to adopt written policies and procedures reasonably designed to protect customer information. The Risk Alert also reflects the SEC's continued focus on firms' prevention of the loss of customer information resulting from cyber incidents. We encourage our clients to review their policies and procedures, and their implementation of such policies and procedures, to ensure compliance with Regulation S-P and other applicable requirements.