SEC Staff Issue Risk Alert on Safeguarding Customer Records and Information at Branch Offices

Who may be interested: Registered Investment Advisers, Broker-Dealers.

Quick Take: The SEC’s Division of Examinations staff (Staff) recently issued a risk alert (Alert) highlighting deficiencies and trends that the Staff have observed relating to the safeguarding of customer records and information at branch offices of registered investment advisers and broker-dealers (collectively, firms).  The Alert follows recent proposed rule amendments that would require firms to adhere to enhanced compliance requirements relating to sensitive customer information. 

Under the Safeguards Rule of Regulation S-P, firms are required to adopt and implement policies and procedures reasonably designed to ensure the security, integrity and confidentiality of customer records and information, and to prevent unauthorized access to, or use of, customer records and information that could result in substantial harm or inconvenience to a customer. 

In the Alert, the Staff noted that many firms may be out of compliance with the Safeguards Rule. The Staff observed a trend in which many firms have policies and procedures in place for safeguarding customer records and information at their main offices but failed to implement those policies in branch offices. The Staff highlighted several key areas in which they observed deficiencies, including:

  • Inadequate due diligence and oversight of third-party service providers to branch offices, resulting in weak or misconfigured security settings that could allow unauthorized access of customer records and information;
  • Insufficient oversight of branch office email configuration which led to account takeovers, compromise of business emails and failure to capture email activity; 
  • Failure to apply data classification policies to identify and control electronic customer records at branch offices;
  • Lack of access controls (e.g., password complexity and multi-factor authentication requirements) for remote access to firm systems by branch offices, resulting in breaches; and
  • Failure to implement proper technology risk management policies and procedures to ensure proper system patching and vulnerability management at branch offices.

The Staff encouraged firms to consider their entire organization, including branch offices, when implementing policies and procedures for safeguarding customer records and information to ensure compliance with Regulation S-P.

The Alert is available here.

For a discussion of investment advisers’ duties to protect client information, see “Privacy and Cybersecurity: How Advisers Must Protect their Clients’ Most Valuable Asset”

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.