On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms.
By way of background, Regulation S-P is the SEC’s data privacy regulation that implemented the privacy provisions of the Gramm-Leach-Bliley Act. In particular, this regulation protects the nonpublic personal information of customers, including personally identifiable financial information and consumer lists or descriptions derived from nonpublic information. To protect this information, Regulation S-P requires firms to do two main things.
- First, Regulation S-P requires firms to provide their customers with clear and conspicuous notices outlining the firms’ privacy policies and practices and providing customers with the opportunity to opt out of some disclosures to nonaffiliated third parties.
- Second, Regulation S-P also requires firms to adopt and maintain written policies and procedures to protect customer information from anticipated threats and unauthorized access through reasonable disposal and safeguard measures.
Although not mentioned in the risk alert, it should be noted that the SEC has used this regulation as one of its primary enforcement hooks – along with Regulation S-ID, the Custody Rule, and the Compliance Rule – to sanction firms for not reasonably protecting against, or responding to, data breaches and cybersecurity events.
Risk Alert Observations
During its recent examinations, OCIE observed three common deficiencies relating to Regulation S-P compliance.
- First, OCIE observed that many firms neither provided privacy or opt-out notices to their customers nor accurately described their privacy policies and procedures in those notices that were sent out. For example, some notices did not disclose, as required, the customers’ ability to opt-out of disclosures to nonaffiliated third parties. As noted by the risk alert, according to the FAST Act exception, firms are not required to provide an annual privacy notice if they (i) do not share nonpublic personal information except for certain purposes that do not trigger the customer’s right to opt out and (ii) have not changed their privacy policies and procedures from those disclosed in the most recent privacy notice provided to the customer. Barring exceptional circumstances, firms should provide a privacy notice at the time the customer relationship is established with the firm but no later than when the customer delivers securities or money to the firm.
- Second, OCIE observed that some firms did not have policies and procedures to safeguard customer information. A mere restatement of Regulation S-P’s Safeguards Rule without tailored policies and procedures to address it is insufficient in the eyes of the OCIE staff. As in all other aspects of a compliance program, OCIE expects firms to tailor their Regulation S-P policies and procedures to address the risks their businesses pose to customer information. Boilerplate or stale written policies and procedures, let alone an absence of them altogether, are viewed critically by the OCIE staff.
- Third, OCIE observed that many firms that had such policies and procedures in place, did not reasonably design them to protect customer information from anticipated threats and unauthorized access. For example, the risk alert emphasized the critical steps of identifying where customer information resides and preparing an incident response, noting: “Without an inventory of all such systems, registrants may be unaware of the categories of customer PII that they maintain, which could limit their ability to adopt reasonably designed policies and procedures and adequately safeguard customer information.” The risk alert similarly encouraged firms to train their employees on the proper ways to transmit customer information and to monitor those employees to ensure the policies are being followed. The risk alert also noted gaps in policies and procedures addressing the use of personal devices, electronic communications, unsecure networks, and outside vendors, namely how encryption and access controls are also vital parts to any Regulation S-P compliance program.
Given the SEC’s continued focus on retail investors and cybersecurity as well as the intersection of data privacy and cybersecurity, broker-dealers, investment advisers, fund managers, and other registered firms should carefully review this risk alert and previous guidance (covered by us here, here, here, and here) to ensure their supervisory, compliance, risk management, and information technology programs are meeting regulatory expectations.