Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

SEC OCIE Highlights Potential Deficiencies in Firm Privacy Policies

By Emily P. Gordy, Cheryl Haas & Alexander Madrid on April 25, 2019
Email this postTweet this postLike this postShare this post on LinkedIn

On April 16, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers.  Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy.  The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems.  Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.

Regulation S-P requires broker-dealers and advisors to adopt written policies and procedures addressing the protection of customer information and records.  These policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information as well as protect against unauthorized access or threats.  Additionally, Regulation S-P requires firms to send customers notices regarding the firm’s privacy policies and practices (at the establishment of the customer relationship and then annually thereafter) as well as an “opt out notice” that explains to customers their right to opt out of some disclosures of their non-public information to third parties.  Firms that fail to comply with Regulation S-P can be hit with substantial fines; last year the SEC fined a broker-dealer $1 million for failing to maintain adequate safeguards against identity theft.

The Risk Alert highlights examples of common deficiencies or weaknesses that OCIE staff identified related to Regulation S-P in their examinations, which serve as considerations for firms evaluating their own policies and procedures:

  • Failure to Provide Adequate Notices. Some examined firms failed to provide the notices required by Regulation S-P, whereas others provided notices that did not contain required information, such as information regarding a customer’s opt-out right.
  • Lack of Adequate Policies and Procedures. Some firms did not have adequate written policies and procedures addressing customary privacy.  The OCIE noted that policies and procedures that simply restate the rules contained within Regulation S-P are insufficient; rather, these documents must actually address the administrative, technical, and physical safeguards the firm has put in place.  Similarly, “off the shelf” policies and procedures—which firms sometimes buy from third party vendors—are insufficient if firms do not include detail as to how they are actually being implemented.
  •  Poorly Designed or Unimplemented Policies. The OCIE observed that even where firms had written policies and procedures, in some cases they were either not actually implemented or not reasonably designed to meet the requirements of Regulation S-P.  The OCIE identified specific areas where firms’ policies and procedures were either poorly designed or not implemented:

Personal devices. The OCIE highlighted firms whose employees regularly stored and maintained customer personally identifying information (PII) on their personal laptops, but whose policies and procedures did not address how to safeguard that information.

Email. Some firms did not have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails containing customer PII.  Other firms did have such policies but did not provide adequate training to employees or failed to monitor if their policies were actually being followed.

Outside Vendors. Some firms failed to follow their own policies and procedures when dealing with outside vendors.  The OCIE noted firms that failed to require outside vendors to contractually agree to keep customer PII confidential, even where their own policies and procedures required such agreements.

Failure to Identify Systems with Customer Information. Some firms did not inventory all systems on which they maintained customer PII, which the OCIE stated could limit their ability to safeguard that information.

Inadequate Incident Response Plans. Some firms’ incident response plans did not address important areas such as actions required to address a cybersecurity incident and assessments of system vulnerabilities.

Unsecure Physical Locations and Unauthorized Access. The OCIE noted firms that stored customer PII in unsecure physical locations (such as unlocked file cabinets) as well as cases where customer login credentials had been sent to employees who were not authorized to receive that information.

Departed Employees. Finally, the OCIE noted instances where former employees of firms retained access rights to customer PII after their departure.

The Risk Alert serves as a timely reminder to all broker-dealers and investment advisers to review their written policies and procedures, as well as the implementation of those policies and procedures, to ensure they are compliant with Regulation S-P.  The Alert also serves as a complement to FINRA’s 2018 Report on Selected Cybersecurity Practices, which set forth FINRA’s observations regarding effective practices that firms have implemented to address cybersecurity risks, including risks related to identity theft.

McGuireWoods’ experienced broker-dealer/investment adviser team will continue to monitor and report on important issues affecting the broker-dealer industry.  For more information, contact the authors of this article or any member of the team.

Photo of Emily P. Gordy Emily P. Gordy

Emily advises her clients as they navigate the complexities inherent in the securities regulatory environment. Drawing on her wealth of experience as a regulator, she handles a wide range of compliance and enforcement issues affecting broker-dealers, investment advisers, investment companies, and municipal securities…

Emily advises her clients as they navigate the complexities inherent in the securities regulatory environment. Drawing on her wealth of experience as a regulator, she handles a wide range of compliance and enforcement issues affecting broker-dealers, investment advisers, investment companies, and municipal securities dealers.

Read more about Emily P. GordyEmail
Show more Show less
Photo of Cheryl Haas Cheryl Haas

Cheryl is go-to litigation counsel for Fortune 100 companies, investment companies and advisers, broker-dealers and private individuals in high-stakes disputes in federal and state courts and a variety of arbitration forum as well as before the U.S. Securities and Exchange Commission, the Financial…

Cheryl is go-to litigation counsel for Fortune 100 companies, investment companies and advisers, broker-dealers and private individuals in high-stakes disputes in federal and state courts and a variety of arbitration forum as well as before the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority and state securities regulators across the United States.

Read more about Cheryl HaasEmail
Show more Show less
Photo of Alexander Madrid Alexander Madrid
Read more about Alexander MadridEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    Password Protected
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Lights On
  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo