On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert regarding its observations of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers (“registrants”). The Risk Alert is intended to assist advisers and broker-dealers in complying with the privacy and opt-out notices, as well as adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.
Privacy and Opt-Out Notices
Under Regulation S-P, registrants are required to provide customers with an accurate description of their privacy policies, and practices at the time a relationship is established (“Initial Privacy Notice”) and on an annual basis during the continuation of the customer relationship (“Annual Privacy Notice”). The Privacy Notice must include an explanation of the customer’s right to opt out of some disclosures of non-public personal information that the registrant collects about the customer, to non-affiliated third parties (“Opt-Out Notice”).
OCIE staff observed registrants that either did not provide Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to their customers or provided notices that did not accurately reflect firms’ policies and procedures or include information about a customer’s right to opt out of the registrant sharing their non-public personal information with non-affiliated third parties.
Lack of policies and procedures for safeguarding customer records and information
The Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that are reasonably designed to ensure the security and confidentiality of customer records and information. These also protect against any anticipated threats or hazards to the security or integrity of customer records and information and protect against unauthorized access of the customer records or information that could result in substantial harm or inconvenience to any customer.
OCIE staff observed the following common issues with registrants’ written policies and procedures:
Personal devices: Registrants did not have policies and procedures that addressed how employee personal devices were to be properly configured to safeguard customer information regularly stored and maintained on employees’ personal laptops.
Electronic communications: Registrants did not have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails to customers that contained a customer’s personally identifiable information (PII).
Training and monitoring: Employees were not properly trained and firms did not appropriately monitor policies and procedures that required customer information to be encrypted, password-protected and transmitted using only registrant-approved methods.
Unsecure networks: Policies and procedures did not prohibit employees from sending customer PII to unsecure locations outside of the registrants’ networks.
Outside vendors: Registrants failed to follow their own policies and procedures that required outside vendors to contractually agree to keep customers’ PII confidential.
PII inventory: Policies and procedures did not identify all systems on which the registrant maintained customer PII. Without this inventory, the registrant may have limited ability to adequately safeguard customer information.
Incident response plans: Written incident response plans did not address role assignments for implementing the plan, actions required to address a cybersecurity incident and assessments of system vulnerabilities.
Unsecure physical locations: Customer PII was stored in unsecure physical locations, such as in unlocked file cabinets in open offices.
Login credentials: Customer login credentials had been disseminated to more employees than permitted under firms’ policies and procedures.
Departed employees: In some instances, former employees of firms retained access rights after their departure. Therefore, they could access restricted customer information.
Read the entire report.