Last week, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a “Risk Alert” regarding the compliance practices for privacy notices and safeguard policies for investment advisers and broker-dealers. This Risk Alert focuses on compliance issues related to Regulation S-P, the primary SEC rule governing these practices. Consistent with other historical risk alerts, in this alert, OCIE summarizes findings from two-year’s worth of issues identified in deficiency letters to assist investment advisers and broker-dealers in adopting and implementing effective policies and procedures for safeguarding customer records and information pursuant to Regulation S-P. That said, OCIE Risk Alerts also put the industry “on notice” and have been cited to by the Division of Enforcement as recently as the SEC’s Share Class Selection Disclosure Initiative to support enforcement strategies.
Among other things, Regulation S-P requires an SEC registrant to 1) provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices generally no later than when it establishes a customer relationship (“Initial Privacy Notice”); 2) provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship (“Annual Privacy Notice,” and together with the Initial Privacy Notice, “Privacy Notices”); and 3) deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of nonpublic personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”). Further, Regulation S-P describes the information that must be included in Privacy Notices, including the categories of nonpublic personal information that the registrant collects and discloses, and in Opt-Out Notices. The Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
OCIE’s Regulation S-P Findings
In summarizing its Regulation S-P findings from the past two years, OCIE provided the following:
- Registrants that did not provide Initial Privacy Notices, Annual Privacy Notices, and Opt-Out Notices to their customers; did not provide them in a way that accurately reflected firms’ policies and procedures; or did not provide notice to customers of their right to opt out of the registrant sharing their nonpublic personal information with nonaffiliated third parties;
- Registrants that did not have written policies and procedures as required under the Safeguards Rule; certain firms that restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards; certain firms with written policies and procedures that contained numerous blank spaces designed to be filled in by registrants; and firms with policies that addressed the delivery and content of a Privacy Notice but did not contain any written policies and procedures as required by the Safeguards Rule; and
- Registrants with written policies and procedures that did not appear to have been implemented or reasonably designed to 1) ensure the security and confidentiality of customer records and information, 2) protect against anticipated threats or hazards to the security or integrity of customer records and information, and 3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers. The staff observed this violative conduct across a variety of firms and their practices, such as the following:
- Policies and procedures that did not appear to be reasonably designed to safeguard customer information on personal devices;
- Policies and procedures that did not address the inclusion of customer personally identifiable information (“PII”) in electronic communications;
- Policies and procedures that required customer information to be encrypted, password-protected, and transmitted using only registrant-approved methods were not reasonably designed because employees were not provided with adequate training on these methods, and the firm failed to monitor whether the policies were being followed by employees;
- Policies and procedures that did not prohibit employees from sending customer PII to unsecure locations outside of the registrants’ networks;
- Registrants failed to follow their own policies and procedures regarding outside vendors;
- Policies and procedures that did not identify all systems on which the registrant maintained customer PII;
- Written incident response plans that did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities;
- Customer PII that was stored in unsecure physical locations, such as in unlocked file cabinets in open offices;
- Customer login credentials that had been disseminated to more employees than permitted under firms’ policies and procedures; and
- Instances in which former employees of firms retained access rights after their departures and therefore could access restricted customer information.
Conclusion / Takeaways
Consistent with its practice in concluding its Risk Alerts, OCIE “encourages” registrants to review their policies and procedures accordingly to ensure that they are in compliance. Recent initiatives by the SEC’s Division of Enforcement, however, suggest a more focused approach by registrants on compliance with their privacy policies and procedures. Indeed, Chairman Clayton created the SEC’s first new enforcement specialty unit in years to focus on these types of issues with his announcement of the “Cyber Unit” approximately 18 months ago . The Cyber Unit’s desire to bring cases, coupled with the Chairman’s support of this unit, indicates that the firms should take this alert/notice from OCIE with the utmost seriousness and should review and remediate their policies, procedures, and practices where necessary.