HEADS UP: SEC Division of Examinations Identifies Gaps and Signals Need for Main Office Policies and Procedures to be Applied at Branch Office Locations
The SEC Division of Examinations issued a Risk Alert on April 26, 2023, regarding weaknesses observed at branch office locations of investment advisers and broker dealers. The Alert recommends firms consider the entire organization when implementing policies and procedures to safeguard client records and ensure compliance with Regulation S-P. This latest Risk Alert also echoes some of the deficiencies among branch offices that were first noted by the SEC in a November 2020 Risk Alert concerning examinations of investment advisers’ branch offices.
The lack of adoption or implementation at the branch level included topics such as Vendor Management, Email Configuration, Data Classification, Access Management and Technology. The lack of the consistency between main office and branch governance structure led to firms falling victim to cyber and data breaches, unauthorized access to customer information, inadequate response to incident management, and outdated systems prone to compromise. With proper implementation and adoption, the policies and procedures may have prevented the breaches.
Regulation S-P (the “Safeguards Rule”) requires firms to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
Specifically, the Alert highlights that while many of these firms have implemented safeguarding policies and procedures at their main office, some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices, despite the existence of the same or similar risks in some cases, resulting in firms falling victim to cybersecurity and data breaches. The SEC references the FINRA “branch office” definition, but states, “However, as used in this risk alert, the term ‘branch office’ applies more broadly to include any location other than a firm’s main office, including offices of any independent contractors through which the firm may offer investment products and services.”
The procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, as well as protect against any unauthorized access that could result in client harm.
Observations from the SEC regarding common issues related to oversight of branch offices include:
Some firms did not apply main office Policies and Procedures requiring conducting proper due diligence and oversight of vendors.
The SEC notes that when firms did not provide guidance or recommendations to assist branch offices in the selection of vendors, it resulted in weak or misconfigured security settings. This could result in unauthorized access to client records and information.
Firms often use vendors for email services, the SEC Staff observed some firms did not manage email accounts nor have defined policies and procedures at branch offices. Many allowed branches to obtain their own vendor services without giving the technical requirements to secure the branch email. This gives rise to account takeover, email compromise, or, in some instances, failure to capture all account activities often resulting in a lack of timely incident response
Data classification policies and procedures relating to the electronic storage of client data must be applied to branch offices. The lack of such controls resulted in the failure to identify and control client records and information.
Similarly, firms did not require access management controls in line with what was seen at the main office at branch offices, leading to an increase in breaches. The Alert points out that main office policy requirements such as multi-factor authentication, password complexity requirements, and other controls may have prevented the breach.
The staff observed multiple branch offices were running unknown systems, which led to a lack of system updates and patches, leaving branches open to compromise.
Important Takeaways from this Risk Alert are:
- Review Policies and Procedures regarding these safeguarding topics and apply them to branch office locations where any independent contractors may offer investment products and services.
- Policies and Procedures applied to branch locations should cover, among other topics, the selection of vendors, managing email accounts, data classification, access controls, and technology.
- Policies and procedures should identify technical requirements.
Contact us to learn more.
Disclaimer: The information contained in this communication is for informational purposes only. The opinions expressed herein are those of the author and do not necessarily reflect those of Confluence. Confluence is not providing legal, financial, accounting, compliance, or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business.