On April 16, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers. Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy. The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems. Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.
Regulation S-P requires broker-dealers and advisors to adopt written policies and procedures addressing the protection of customer information and records. These policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information as well as protect against unauthorized access or threats. Additionally, Regulation S-P requires firms to send customers notices regarding the firm’s privacy policies and practices (at the establishment of the customer relationship and then annually thereafter) as well as an “opt out notice” that explains to customers their right to opt out of some disclosures of their non-public information to third parties. Firms that fail to comply with Regulation S-P can be hit with substantial fines; last year the SEC fined a broker-dealer $1 million for failing to maintain adequate safeguards against identity theft.
The Risk Alert highlights examples of common deficiencies or weaknesses that OCIE staff identified related to Regulation S-P in their examinations, which serve as considerations for firms evaluating their own policies and procedures:
- Failure to Provide Adequate Notices. Some examined firms failed to provide the notices required by Regulation S-P, whereas others provided notices that did not contain required information, such as information regarding a customer’s opt-out right.
- Lack of Adequate Policies and Procedures. Some firms did not have adequate written policies and procedures addressing customary privacy. The OCIE noted that policies and procedures that simply restate the rules contained within Regulation S-P are insufficient; rather, these documents must actually address the administrative, technical, and physical safeguards the firm has put in place. Similarly, “off the shelf” policies and procedures—which firms sometimes buy from third party vendors—are insufficient if firms do not include detail as to how they are actually being implemented.
- Poorly Designed or Unimplemented Policies. The OCIE observed that even where firms had written policies and procedures, in some cases they were either not actually implemented or not reasonably designed to meet the requirements of Regulation S-P. The OCIE identified specific areas where firms’ policies and procedures were either poorly designed or not implemented:
- Personal devices. The OCIE highlighted firms whose employees regularly stored and maintained customer personally identifying information (“PII”) on their personal laptops, but whose policies and procedures did not address how to safeguard that information.
- Email. Some firms did not have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails containing customer PII. Other firms did have such policies but did not provide adequate training to employees or failed to monitor if their policies were actually being followed.
- Outside Vendors. Some firms failed to follow their own policies and procedures when dealing with outside vendors. The OCIE noted firms that failed to require outside vendors to contractually agree to keep customer PII confidential, even where their own policies and procedures required such agreements.
- Failure to Identify Systems with Customer Information. Some firms did not inventory all systems on which they maintained customer PII, which the OCIE stated could limit their ability to safeguard that information.
- Inadequate Incident Response Plans. Some firms’ incident response plans did not address important areas such as actions required to address a cybersecurity incident and assessments of system vulnerabilities.
- Unsecure Physical Locations and Unauthorized Access. The OCIE noted firms that stored customer PII in unsecure physical locations (such as unlocked file cabinets) as well as cases where customer login credentials had been sent to employees who were not authorized to receive that information.
- Departed Employees. Finally, the OCIE noted instances where former employees of firms retained access rights to customer PII after their departure.
The Risk Alert serves as a timely reminder to all broker-dealers and investment advisers to review their written policies and procedures, as well as the implementation of those policies and procedures, to ensure they are compliant with Regulation S-P. The Alert also serves as a complement to FINRA’s 2018 Report on Selected Cybersecurity Practices, which set forth FINRA’s observations regarding effective practices that firms have implemented to address cybersecurity risks, including risks related to identity theft.