On April 16, 2019, the Office of Compliance Inspections and Examinations (“OCIE” or “Staff”) of the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert (“Alert”) urging broker-dealers and investment advisors (together, “firms”) to “review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are compliant with Regulation S-P.”
Under the Safeguards Rule of Regulation S-P, registered firms are required to adopt written policies and procedures that are reasonably designed to ensure the security and confidentiality of customer records and information, and protect against the unauthorized access to, or use of, customer records or information. The rule further obligates firms to provide initial and annual privacy notices to customers that accurately reflect the firm’s privacy policies and practices and inform customers of their rights, including the right to opt-out of some disclosures to non-affiliated third-parties.
According to the Alert, in recent examinations Staff identified a number of compliance issues related to failures to comply with the requirements of Regulation S-P. The Alert provides a list of the most common deficiencies cited, including:
• Failures to Provide Privacy & Opt-Out Notices: Staff noted that firms failed to provide initial or annual privacy notices or opt-out notices to customers and where such notices were provided, they did not accurately reflect the firm’s written policies and procedures.
• Failures to Maintain Adequate Written Policies and Procedures: Staff identified that some firms did not maintain written policies covering administrative, technical and physical safeguards designed to ensure the security and confidentiality of customer records and information. Staff also “observed written policies and procedures that contained numerous blank spaces” that were designed to filled in, but were apparently never completed.
• Failures to Adequately Implement Written Policies and Procedures: Staff noted that even when firms did have written policies and procedures, they were either not properly implemented or were not reasonably designed to comply with the rules. Deficiencies found in policies and procedures included, among other things, failure to address proper security and encryption of customer information within electronic communications; failure to provide for adequate training and compliance monitoring; failure to maintain adequate written security incident response plans; and failure to identify and inventory systems that contain customer information.
The Alert should serve as another reminder that cybersecurity and privacy are high on the SEC’s priorities, as noted in its 2019 Exam Priorities announcement.