The SEC has again signaled that now is the time for investment advisers and broker-dealers to get serious about compliance with Reg. S-P. For years, the SEC’s examination priorities have included a focus on cybersecurity and/or customer privacy issues and, as its recent $1,000,000 fine of Voya Financial Advisors, Inc. confirms, the SEC is serious about protecting confidential customer information (see Avoiding an SEC Whack after a Cyber Hack).
As a part of that focus, and to assist broker-dealers and investment advisers in meeting their regulatory obligations, the SEC’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert titled, “Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies,” which identifies three broad categories where firms frequently fall short.
Firms would be well advised to evaluate the adequacy of their policies and procedures now as the SEC will certainly focus on these three areas in upcoming examinations.
Privacy and Opt-Out Notices
Under Reg. S-P, registrants must send a privacy notice to customers when the customer relationship is established and are also required to send notices to customers annually. Registrants must also provide notice that the customer may opt-out of some sharing of their nonpublic personal information with third parties. The OCIE staff observed instances in which registrants failed to send the notices as required, instances in which the notices did not accurately reflect the registrants’ policies and procedures, and instances in which registrants failed to provide notice of customers’ opt-out rights. Sending the required notices at the required times is a simple – the SEC provides a model form – and essential step toward compliance with Reg. S-P.
Lack of Policies and Procedures
The second category of issues identified in the Risk Alert relates to registrants’ failure to adopt Reg. S-P written policies and procedures. Under Reg. S-P’s Safeguards Rule, registrants are required to:
adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The OCIE staff noted instances where registrants had not adopted the policies and procedures designed to address these issues. For example, the Risk Alert specifically noted that some registrants simply restated the rule, but adopted no substantive policies or procedures “related to administrative, technical, and physical safeguards.” In other instances, the OCIE staff pointed out that policies and procedures included blanks intended to be filled in, but had not been completed. To state what should be obvious, failing to adopt required policies and procedures is a surefire way to invite additional regulatory scrutiny.
Policies not implemented or not reasonably designed to safeguard customer records and information
Even when a firm has adopted policies and procedures, as required, the OCIE staff highlighted common deficiencies in those procedures or their implementation. In particular, the OCIE staff raised the following topics:
- Personal devices, such as laptops, and the need for policies and procedures to require proper configuration of such devices to safeguard customer information;
- Electronic communications and the need to have policies and procedures to prevent employees from sending unencrypted e-mails to customers;
- Training to ensure employees understand policies and procedures relating to encryption, password protection, and methods of transmission for customer information and monitoring employees’ compliance with those policies and procedures;
- Unsecure networks and the need for policies and procedures prohibiting employees from sending customer information to unsecure locations outside registrant’s network;
- Outside vendors and the need to follow policies and procedures regarding those vendors, such as policies and procedures requiring contractual agreements with vendors to protect the confidentiality of customer information;
- Personally Identifiable Information Inventory and the need to have policies and procedures which identify all systems which maintain customer information;
- Incident response plans and the need for such plans to address how to respond to a cybersecurity incident and how to assess system vulnerabilities;
- Unsecure physical locations, such as unlocked file cabinets in open offices, and the need to maintain the security of physical forms of customer information;
- Login credentials and the need to disseminate that information narrowly and only as permitted by policies and procedures; and
- Departed employees and the need to terminate or restrict their access rights after departure to prevent access to customer information.
Evaluate Policies and Procedures Now to Ensure Compliance
The Risk Alert “encourages registrants to review their written policies and procedures, including implementation of those policies and procedures to ensure that they are compliant with Regulation S-P.” Registrants have again been reminded of the necessity of sending required notices and adopting and implementing appropriate policies and procedures focusing on the areas identified above. Heeding the SEC’s “encouragement” now may prevent the misuse of confidential customer information, mitigate against the effects of a data breach and position a registrant on solid footing when dealing with its regulators.