On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a risk alert identifying some of the Regulation S-P compliance issues it observed in recent examinations of SEC-registered investment advisers and broker-dealers. Regulation S-P is the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. OCIE’s risk alert is intended to assist firms in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.
The most common deficiencies or weaknesses observed by OCIE included the following:
- Privacy and opt-out notice delivery failures. Failure to provide initial or annual privacy notices and opt-out notices or failure to provide notices accurately reflecting a firm’s policies and procedures.
- Lack of policies and procedures. Failure to adopt written policies and procedures in whole or in part, including failure to include policies and procedures related to administrative, technical and physical safeguards.
- Policies not implemented or not reasonably designed to safeguard customer records and information. Failure to implement or adopt policies reasonably designed to (1) ensure the security and confidentiality of customer records and information, (2) protect against anticipated threats or hazards to the security or integrity of customer records and information, and (3) protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to customers.
Specific issues observed by OCIE staff related to, among other things, the following:
- inadequate policies and procedures to safeguard customer information on personal devices;
- inclusion of personally identifiable information (PII) in electronic communications;
- inadequate training and/or ongoing monitoring of policy implementation;
- use of unsecure networks to transmit customer PII;
- failure to follow policies and procedures with respect to outside vendors;
- failure to identify all systems on which firms maintained customer PII;
- insufficient incident response plans;
- unsecure physical locations;
- dissemination of login credentials; and
- retention of access rights by former employees.
OCIE’s announcement and a link to the risk alert are available at: https://www.sec.gov/ocie/announcement/ocie-riskalert-regulation-s-p