The SEC’s Office of Compliance Inspections and Examinations (OCIE) released two Risk Alerts, on April 16, 2019 and May 23, 2019, highlighting the importance of privacy and cybersecurity compliance for SEC-registered investment advisors and broker-dealers under Regulation S-P. As previously covered on Data Matters, OCIE has consistently identified cybersecurity as one of its main areas of focus for examinations.
Indeed, cybersecurity was once again identified by OCIE in its 2019 National Exam Program Examination Priorities (2019 Exam Priorities), which placed a particular emphasis on proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security. With the issuance of the April 16 and May 23 Risk Alerts, OCIE has provided additional detail regarding specific issues that SEC-registered entities should focus on to mitigate privacy and cybersecurity risk, as well as to prepare for examinations.
April 16 Risk Alert – Privacy Notices and Safeguard Policies
In its Risk Alert dated April 16, OCIE focused on Regulation S-P compliance issues, including the provision of privacy and opt-out notices and effective policies and procedures for safeguarding customer records and information.
Privacy and Opt-Out Notices
Under Regulation S-P, registrants are required to deliver a “clear and conspicuous” notice regarding their privacy policies and practices to customers at both the establishment of the customer relationship and at certain points throughout the duration of that relationship. Registrants are also required to inform customers of their right to opt out of some disclosures of the customer’s non-public personal information to unaffiliated third-parties. In its April 16 Risk Alert, OCIE noted that examined entities frequently fail to provide such notices to their customers or provide inaccurate or incomplete notices which fail to accurately reflect the firms’ policies and procedures or which lacked the required opt-outs.
The Safeguards Rule
Regulation S-P also established the Safeguards Rule, which requires registrants to adopt written policies and procedures addressing administrative, technical, and physical safeguards for the protection of customer data. Regulation S-P requires these policies to be “reasonably designed” to ensure the security, integrity, and confidentiality of customer information and protect against unauthorized access to the same.
The Risk Alert noted several issues that OCIE staff have identified in connection to examined entities efforts’ to comply with the Safeguards Rule:
- Lack of Policies and Procedures. Some examined entities did not have the required written policies or procedures in place, even if they had demonstrated awareness of the Safeguards Rule. Other examined entities only had incomplete or “draft” policies in place, or had policies in place for providing privacy notices but not for the other elements required by the Safeguards Rule.
- Policies not implemented or not reasonably designed to safeguard customer records and information. Some examined entities had written policies and procedures in place, but the OCIE staff found that the policies and procedures were not reasonably designed to ensure the protection of customer data. In particular, OCIE highlighted concerns where policies did not sufficiently address security concerns related to the following:
- Customer data stored on personal laptops or other portable devices;
- Policies and procedures that failed to prevent the unencrypted transmission of emails containing customer PII;
- Ineffective training and monitoring of employees;
- Failures to prohibit employees from sending customer PII to insecure locations outside the registrants’ networks;
- Failures to ensure third party service provider compliance with policies and procedures;
- Failures to fully identify all systems maintaining customer PII;
- Absence of or insufficiently mature cybersecurity incident response plan
- Failures to conduct system vulnerability assessments;
- Widely disseminated log-in credentials despite policy restrictions;
- Insecure physical storage of customer information; and
- Failures to properly deactivate employee access after termination.
May 23 Risk Alert – Customer Records in Network Storage
About one month after releasing its April 16 Risk Alert, OCIE issued another Risk Alert on May 23 regarding security features in network storage. In contrast to its prior Risk Alert, the May 23 Risk Alert focused specifically on entities that sought to leverage cloud-based storage solutions, particularly involving third party service providers. The latter emphasized the importance of utilizing network storage features such as encryption and password protection, noting that examined entities often neglected to use such features even when they were available.
The May 23 Risk Alert also outlined three concerns based on observations of network storage solutions implemented by examined entities:
- Misconfigured network storage solutions. Some examined entities did not adequately configure security settings on their cloud based solution or did not have policies and procedures in place regarding the security configuration. OCIE pointed to lack of effective oversight as a contributing factor to this concern.
- Inadequate oversight of vendor-provided network storage solutions. According to OCIE staff, examined entities often failed to take steps to ensure that third party cloud storage solutions were in compliance with the firms’ own information security standards.
- Insufficient data classification policies and procedures. In some cases, OCIE staff found that examined entities did not have procedures in place to identify the different types of electronic data in their possession and assign appropriate controls for each of these types.
As OCIE’s recent publications help demonstrate, data privacy and information security is rapidly becoming a more significant area of concern for financial regulators. Broker-dealers, investment advisors, and other financial institutions must ensure that they are taking adequate steps to meet their obligations for privacy compliance and cybersecurity risk management.
Such steps include designing and actively maintaining policies and procedures around customer notice, access controls, vendor management, information security governance, incident response and network storage. They also include ensuring—through periodic cybersecurity audits, vulnerability assessments, and penetration tests—that these standards are being implemented appropriately across the firm and among third party service providers with access to customer data.