- Helpful Safeguards Information for Investment Advisers and Broker-Dealers – Straight From the Examiners!
- April 30, 2019 | Author: Bobby N. Turnage
- Law Firm: Sands Anderson PC - McLean Office
When it comes to information security, the Safeguards Rule of Regulation S-P (Safeguards Rule) requires SEC-registered investment advisers and brokers and dealers (Registrants) to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information, and that are reasonably designed to:
(i) Insure the security and confidentiality of customer records and information;
(ii) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(iii) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) provided a Risk Alert that included a list of Regulation S-P compliance issues identified in examinations of Registrants over the last 2 years.
In addition to other issues, OCIE noted the following real-life examples of Registrants appearing to fall short of the Safeguards Rule:
- Policies and procedures not reasonably designed to safeguard customer information on personal devices;
- Policies and procedures not addressing the inclusion of customer PII in electronic communications;
- Policies and procedures concerning encryption, password protection, and transmission of customer information not being supported by adequate employee training and policy monitoring;
- Policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of the Registrant’s networks;
- Registrant not following its own policies and procedures regarding outside vendors;
- Policies and procedures not identifying all systems on which customer information is maintained;
- Maintaining inadequate incident response plans;
- Storing customer PII in unsecure physical locations;
- Disseminating customer login credentials to more employees than permitted under Registrant’s policies and procedures; and
- Failing to terminate access rights for former employees after departure.