When it comes to information security, the Safeguards Rule of Regulation S-P (Safeguards Rule) requires SEC-registered investment advisers and brokers and dealers (Registrants) to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information, and that are reasonably designed to:
(i) Insure the security and confidentiality of customer records and information;
(ii) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(iii) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) provided a Risk Alert that included a list of Regulation S-P compliance issues identified in examinations of Registrants over the last 2 years.
In addition to other issues, OCIE noted the following real-life examples of Registrants appearing to fall short of the Safeguards Rule:
- Policies and procedures not reasonably designed to safeguard customer information on personal devices;
- Policies and procedures not addressing the inclusion of customer PII in electronic communications;
- Policies and procedures concerning encryption, password protection, and transmission of customer information not being supported by adequate employee training and policy monitoring;
- Policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of the Registrant’s networks;
- Registrant not following its own policies and procedures regarding outside vendors;
- Policies and procedures not identifying all systems on which customer information is maintained;
- Maintaining inadequate incident response plans;
- Storing customer PII in unsecure physical locations;
- Disseminating customer login credentials to more employees than permitted under Registrant’s policies and procedures; and
- Failing to terminate access rights for former employees after departure.
While the list of examples provided by OCIE does not address all risks and issues Registrants face, it does provide helpful information Registrants can use when reviewing their own policies and procedures for compliance with the Safeguards Rule. In addition to reviewing their policies and procedures, Registrants should review the implementation of their policies and procedures to ensure compliance with the Safeguards Rule.
Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team. If you have any questions about this post or any other information security issues, please reach out to Bobby or a member of the Cybersecurity and Technology Team.