The SEC’s Office of Compliance Inspections and Examinations (OCIE) published a risk alert to encourage registrants to review their privacy policies in light of certain deficiencies observed by OCIE staff during recent examinations. The risk alert is intended to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in ensuring the security of customer records and information.
Safeguards Rule of Regulation S-P
The Safeguards Rule in the SEC’s Regulation S-P requires registrants to inform their customers of their privacy policies and practices when the customer relationship is initially created. If this relationship continues, unless an exemption is available, the registrant must then provide a notice of those policies and practices on an annual basis. Finally, registrants must deliver a notice allowing customers to opt out of disclosure of certain nonpublic information to nonaffiliated third parties.
Regulation S-P also requires registrants to have policies and procedures to protect the security, confidentiality and integrity of their customers’ information. More specifically, the registrants must protect against unauthorized access of customer information that could result in “substantial harm or inconvenience” to any customer.
Insufficient Privacy Policies and Procedures
OCIE staff observed that certain firms did not provide initial privacy notices, annual privacy notices and opt-out notices to their customers at all. In other instances, the notices did not reflect the firm’s policies and procedures, or the policies and procedures were incomplete because they restated the applicable rules but did not include the details pertaining to the administrative, technical and physical safeguards with respect to customer information.
The majority of the risk alert focused on issues identified by OCIE staff that involved policies that were either not implemented or not reasonably designed to safeguard customer information. More specifically, OCIE staff observed deficiencies in the following areas:
- Personal devices. Certain policies did not address the protection of customer information on personal devices, such as laptops.
- Electronic communications. Other policies did not address the inclusion of customers’ personally identifiable information (PII) in electronic communications, namely by not preventing employees from sending unencrypted emails containing this information.
- Training and monitoring. Even if the policy requires customer PII to be encrypted, password-protected and transmitted using only approved methods, OCIE found that employees were not provided adequate training on how to handle this information. Additionally, firms must ensure the policies are being followed by their employees.
- Unsecure networks. In certain instances, customers’ PII was sent on unsecure networks.
- Outside vendors. Registrants occasionally dealt with outside vendors without ensuring those vendors contractually agreed to adhere to the registrant’s privacy policies and procedures.
- PII inventory. Certain policies did not identify all the systems on which customers’ PII was stored, thereby limiting the policies’ effectiveness.
- Incident response plans. Written incident response plans were sometimes lacking due to their failure to (i) assign specific responsibilities for their implementation, (ii) include an assessment of system vulnerabilities, and/or (iii) describe which actions would be taken in the event of a cybersecurity incident.
- Unsecure physical locations: Customer PII was occasionally stored in unsecure physical locations, such as unlocked file cabinets in open offices.
- Login credentials. Customer login credentials had occasionally been disseminated to more employees than permitted under the firm’s policies.
- Departed employees. Former employees occasionally retained access rights to customer PII.
Next Steps: Governance, Network (Re)Configuration and Monitoring
OCIE staff indicated that many registrants have modified both their policies and their procedures to respond to the issues identified by OCIE staff. However, OCIE encouraged registrants to review their policies and procedures, including their implementation, to ensure compliance with Regulation S-P.
Privacy protection also remains a priority for OCIE, as indicated in its 2019 Examination Priorities. We recently reviewed those priorities and discussed how they could impact registrants. With respect to cybersecurity, OCIE indicated this area would remain a priority in each of its five examination programs.
Although the focus of OCIE’s risk alert was largely on policies and procedures, registrants should also note that OCIE is focusing on proper configuration of network storage devices and information security governance generally. In the case of investment advisers, OCIE is focusing on cybersecurity practices at investment advisers with multiple branch offices, and investment advisers that have recently undergone a merger.
The risk alert highlights certain registrants’ comparative lack of preparedness for cybersecurity incidents and suggests that certain measures to safeguard customer information are relatively easy to take. As with many regulatory priorities, compliance starts with good governance. So, as suggested by the OCIE, registrants should review their privacy policies to ensure they are both compliant and implemented. As famously stated by Mark Twain, “The secret of getting ahead is getting started.”