As every investment adviser, broker-dealer, and fund (and their lawyer) knows, noncompliance with Regulation S-P, the SEC’s primary rule on privacy notices and safeguard policies, can land a registrant in hot and expensive water. What noncompliance looks like, however, has not always been clear. On April 16, 2019, the staff of the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert setting forth common Regulation S-P compliance issues observed over the last two years of exams.1
- Privacy and Opt-Out Notice Deficiencies:
Common privacy and opt-out notice deficiencies observed by OCIE included the failure to provide timely and accurate privacy notices to customers, including privacy notices that failed to inform customers that they could opt out of the sharing of their nonpublic personal information.
- Policy and Procedure Deficiencies:
OCIE observed failures to design comprehensive policies and procedures related to Rule 30(a) of Regulation S-P (the Safeguards Rules), which requires firms to adopt written policies and procedures reasonably designed to safeguard customer records and information. OCIE noted that mere restatement of the Safeguards Rules is insufficient; the policies and procedures must include actual measures related to the administrative, technical, and physical safeguards. OCIE went on to provide specific observations relating to failures to implement policies or design those policies to safeguard customer information. From this list, OCIE has provided firms with tangible steps to try to safeguard customer information:
- Design and implement policies and procedures to safeguard customer information on personal laptops, prevent employees from sending unencrypted emails containing personally identifiable information (PII), and prohibit employees from sending customer PII to unsecure outside networks. Relatedly, design and implement procedures to safeguard hard copy customer information (i.e., lock file cabinets in open offices).
- Train employees on the methods used to protect customer information and monitor whether these safeguards are being followed.
- Review third parties’ handling of customer information and ensure adequate protection. If the firm’s policies and procedures require outside vendors to contractually agree to keep customer PII confidential, firms should require the outside vendors to sign those contracts.
- Inventory customer PII and where it is kept. Firms can’t keep it safe if they don’t know where it is.
- Cut off access of departing employees’ ability to review and obtain customer information before they depart.
- Limit employee access to required customer information; only share customer login credentials as needed and permitted by policy.
- Design and implement an incident response plan. This plan needs to address: (1) role assignment for implementing plan; (2) how to address a cybersecurity incident; and (3) an assessment of system vulnerabilities.
- Other Issues That Firms May Want to Address:
Although not discussed in the Risk Alert, we have observed that the SEC has been looking at two issues relating to the Broker Protocol and compliance with Regulation S-P: (1) how firms that are members of the Broker Protocol disclose in their privacy notices that firms or departing representatives may provide PII to the departing representatives’ new firms; and (2) how firms track whether customers opt out of the disclosure of such information.
The Risk Alert does not provide information on what noncompliance with Regulation S-P can cost a firm. However, the below list provides examples of enforcement actions against firms that failed to comply with Regulation S-P:
- The SEC charged a dually registered broker-dealer and investment adviser with violations of Regulation S-P, specifically the Safeguards Rule and the Identity Theft Red Flags Rule. The firm paid a $1,000,000 penalty to settle charges relating to cybersecurity failures that resulted in cyber-intruders gaining access to customer information. Although the firm had policies and procedures to address cybersecurity threats, the SEC found that the firm did not adequately enforce them.
- The SEC settled an action against a dually registered firm for a $1,000,000 penalty related to the firm’s failure to adopt written policies and procedures to protect customer data, allowing a then-employee to transfer customer data to his personal server, which was subsequently hacked by a third party. Specifically, the firm did not restrict employee access to customer information based on an employee’s legitimate business need.
- The SEC settled an action for $75,000 against an investment adviser that failed to adopt written policies and procedures to protect customer information when it stored client information on a third-party hosted web server that was ultimately victim of a cybersecurity attack.
- FINRA fined a broker-dealer $225,000 for Regulation S-P violations after an unencrypted laptop with customer information was lost. Despite the fact that there was no evidence the customer information was accessed, FINRA focused on the firm’s violation of its own policies and procedures to encrypt laptop computers that contain confidential customer information.
- FINRA fined one broker-dealer $175,000 for Regulation S-P violations after finding that it failed to safeguard customer information when it failed to configure firewall protections and used ineffective username and password systems.
* * *
As regulators’ interest in Regulation S-P increases, firms should consider reviewing their privacy notice process to confirm that they provide timely, accurate, and comprehensive privacy notices to their customers. In addition, firms may want to review and update existing data security and compliance policies and procedures to avoid the missteps described above. If firms fail to heed the messages contained in OCIE’s Risk Alert, they may find themselves receiving a “notice” that they are the subject of an enforcement action.