In a Risk Alert, the SEC Office of Compliance Inspections and Examinations ("OCIE") urged registrants to review their written policies to ensure compliance with requirements under Regulation S-P (Privacy of Consumer Financial Information and Safeguarding Personal Information).

The most common types of inadequacies with respect to the "Safeguards Rule" of Regulation S-P, according to OCIE, include:

  • not providing Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to customers;
  • not having written policies and procedures, as mandated under the Safeguards Rule (e.g., firms had documents that restated the Safeguards Rule but did not incorporate policies concerning "administrative, technical, and physical safeguards"); and
  • having policies that do not sufficiently safeguard customer records and information.

Commentary

This Risk Alert illustrates how much the nature of broker-dealer and investment adviser activities has changed over the last five to ten years. While there is no diminution of the importance of traditional securities compliance concerns (e.g., insider trading or conflicts of interest), of equal concern are matters related to technology controls and cybersecurity. For example, among the deficiencies noted in the alert are (i) storage of information on laptop computers; (ii) transmission of unencrypted emails containing personally identifiable information; (iii) use of unsecure networks; (iv) deficient incident response plans; and (v) failure to institute adequate controls of login credentials. While the focus of this Risk Alert is on technology deficiencies relating to compliance with Regulation S-P, it should serve as a general caution to regulated entities to consider the sufficiency of their technology controls, generally, as it relates to their securities law compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.