OCIE Issues Risk Alert on Regulation S-P – Privacy Notices and Safeguard Policies
April 24, 2019
On April 16, 2019, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert on compliance issues related to Regulation S-P.1
Regulation S-P requires, among other things, an SEC-registered investment adviser or broker-dealer (“firm”) to (i) provide a clear and conspicuous notice to its customers that reflects its privacy policies and practices when it initially establishes a customer relationship and at least annually during the term of the customer relationship (“Privacy Notices”), and (ii) deliver a clear and conspicuous notice to its customers that explains the right to opt out of some disclosures of non-public personal information about the customer to unaffiliated third parties (“Opt-Out Notice”).
Regulation S-P further requires firms to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information (the “Safeguards Rule”). Under the Safeguards Rule, firms’ written policies and procedures must be reasonably designed to (i) ensure the security and confidentiality of customer records and information, (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information, and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The risk alert noted the following examples of the most common deficiencies identified by the OCIE staff regarding Regulation S-P:
- Privacy and Opt-Out Notices: Firms failed to provide Privacy Notices and Opt-Out Notices to customers, or provided notices that did not accurately reflect the firms’ policies and procedures.
- Lack of Policies and Procedures: Firms failed to adopt written policies and procedures as required by the Safeguards Rule. For example, firms had documents that restated the Safeguards Rule but did not include policies and procedures that addressed administrative, technical and physical safeguards for the protection of customer records and information. Certain written policies and procedures contained numerous blank spaces designed to be filled in by firms.
- Implementation and Design of Policies and Procedures: The OCIE staff noted policies that were not implemented or reasonably designed to safeguard customer records and information. In particular, the OCIE staff observed:
- policies and procedures that
- were not reasonably designed to safeguard customer information on personal devices, such as not addressing the proper configuration of personal laptops that stored customer information;
- failed to address the inclusion of customer personally identifiable information (“PII”) in electronic communications, such as preventing employees from regularly sending unencrypted emails to customers containing PII;
- did not provide employees with adequate training on, or monitor compliance with, firm-approved methods to safeguard the transmittal of customer information;
- did not prohibit employees from sending customer PII to unsecure locations outside of the firms’ networks; or
- did not identify all systems on which the firm maintained customer PII;
- firms that failed to require outside vendors to contractually agree to keep customers’ PII confidential as required by the firms’ policies and procedures;
- written incident response plans that did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities;
- customer PII that was stored in unsecure physical locations, such as in unlocked file cabinets in open offices;
- customer login credentials that were provided to more employees than permitted; and
- instances where former employees retained access to customer information after their departure.
- policies and procedures that
In view of the common deficiencies identified in the risk alert, we encourage firms to review the adequacy of their written policies and procedures designed to safeguard customer information and the effectiveness of their implementation to ensure that they have complied with Regulation S-P.
1 17 CFR Part 248, Subpart A, and Appendix A to Subpart A.