SEC Risk Alert – Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies

May 07, 2019

On April 16, 2019, the United States Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert about “Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies” to encourage investment adviser firms to review their written policies and procedures to, “ensure compliance with the relevant regulatory requirements.”

OCIE’s Risk Alert identifies the Most Frequent Regulation S-P Compliance Issues. The three most frequent issues are:

  1. Privacy and Opt-Out Notices: OCIE staff observed registrants that did not provide Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to their customers. When such notices were provided to customers, the notices did not accurately reflect firms’ policies and procedures.
  2. Lack of policies and procedures: OCIE staff observed registrants that did not have written policies and procedures as required under the Safeguards Rule.
  3. Policies not implemented or not reasonably designed to safeguard customer records and information: OCIE staff observed registrants with written policies and procedures that did not appear implemented or reasonably designed to (1) ensure the security and confidentiality of customer records and information, (2) protect against anticipated threats or hazards to the security or integrity of customer records and information, and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers.

The Risk Alert further broke down Policies not implemented or not reasonably designed to safeguard customer records and information into observed issues with:

  • Personal devices: OCIE staff observed registrants’ employees who regularly stored and maintained customer information on their personal laptops, but the registrants’ policies and procedures did not address how these devices were to be properly configured to safeguard the customer information.
  • Electronic communications: staff observed registrants that did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails to customers containing Personally Identifiable Information (PII).
  • Training and monitoring: Policies and procedures that required customer information to be encrypted, password-protected, and transmitted using only registrant-approved methods were not reasonably designed because employees were not provided adequate training on these methods and the firm failed to monitor if the policies were being followed by employees.
  • Unsecure networks: Policies and procedures that did not prohibit employees from sending customer PII to unsecure locations outside of the registrants’ networks.
  • Outside vendors: OCIE staff observed registrants that failed to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the registrant’s policies and procedures.
  • PII inventory: Policies and procedures that did not identify all systems on which the registrant maintained customer PII.
  • Incident response plans: Written incident response plans that did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
  • Unsecure physical locations: Customer PII that was stored in unsecure physical locations, such as in unlocked file cabinets in open offices.
  • Login credentials: Customer login credentials that had been disseminated to more employees than permitted under firms’ policies and procedures.
  • Departed employees: Instances where former employees of firms retained access rights after their departure and therefore could access restricted customer information.

As the SEC continues to promote the importance of cybersecurity and protecting confidential investor information, RIA Compliance Consultants, Inc. has updated our cybersecurity sample forms. In our Cybersecurity – Best Practices Checklist, we have compiled a list of best practices intended to help an investment adviser with protecting its information systems and confidential information of its clients. More information about this sample form can be found here. We also provide other cybersecurity related forms such as Conducting Due Diligence of Cloud Computing Service Providers which can be viewed here, Cleaning Company – Acknowledgement of Background Checks which can be viewed here, Letter Notifying Client of Phishing Email which can be viewed here, GDPR Best Practices for Website which can be viewed here, and Cybersecurity – Employee Acknowledgement which can be viewed here. RIA Compliance Consultants has also entered into a Strategic Alliance Relationship with Greytwist Data Governance, a company with software to help keep track of outside vendors and PII. Greytwist offers a discount on their software to existing clients of RIA Compliance Consultants. Click here to learn more about Greytwist Data Governance. We encourage you to speak with your consultant about your cybersecurity policies and procedures. If you are not a client or RCC, please click here to set up an introductory call.

Posted by Grant Parr
Labels: Cyber Security, Cybersecurity, Due Diligence, Privacy, Privacy Policy, Risk Alert, Sample Forms, SEC