Takeaways and Tips Related to SEC Risk Alert on Regulation S-P
On April 16, 2019, the SEC released a Risk Alert providing a list of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. As with other risk alerts, these were deficiencies noted by OCIE in regulatory examinations. Though the deficiencies were fairly common sense, the release of the risk alert should be used by compliance professionals to reevaluate current practices in place and whether now is the time to make enhancements.
Regulation S-P, among other things, requires a registrant to: (1) provide a notice to its customers that accurately reflects its privacy policies and practices no later than when it establishes a customer relationship, (2) provide a privacy notice to its customers not less than annually during the continuation of the customer relationship and (3) deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”).
Additionally, the Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
So, what deficiencies did the SEC find? We highlight the key items and remind you to analyze your own practices and privacy protocols to ensure you are in compliance:
- Not providing the initial, annual or opt-out notices. In addition, Registrants not doing what they say they are doing within those notices!
- Not providing an opt-out provision to the sharing of their nonpublic personal information with nonaffiliated third parties
- Lack of policies and procedures to comply Regulation S-P
- Not having reasonably designed policies to safeguard customer records and information. Here the SEC highlighted some additional matters with respect to safeguarding data:
- Personal devices – Not having policies to address client data stored on employee’s laptops, mobile devices, etc.
- Electronic communications – Not having policies that address protection of personally identifiable information (“PII”) in emails.
- Lack of training on the firm’s policies and practices.
- Unsecure Networks – Not having policies that prohibit employees from sending customer PII to unsecure locations outside firm’s networks.
- Outside vendors – Failure to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the registrant’s policies and procedures.
- PII Inventory – Not maintaining an inventory of where PII is stored and steps to protect them.
- Incident response plans – Not addressing role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
- Unsecured physical locations – Lack of protection of documents maintained in unsecure locations, such as unlocked file cabinets.
- Login credentials – No controls over who can access the client’s login credentials and not following the policies about access controls.
- Departed employees – Not terminating access rights of employees who have departed the firm.
Here are a few key takeaways to help you ensure you have addressed these matters and strengthen your compliance program:
- Remember the importance of advising your customers of their opt-out rights.
- Ensure you implement and memorialize your policies and procedures related to administrative, technical, and physical safeguards. Reevaluate what your present policies are to ensure they are being carried out. Don’t just say you do things – DO THEM.
- Encryption, encryption, encryption! Retrain your staff on the importance of encrypting email communications when it contains PII.
- Perform surveillance of email to ensure the last bullet is being implemented.
- Have a plan and stick to it – Ensure you maintain an incident management plan, have roles assigned and ensure you are sticking to that plan in the event of a breach.
- Determine if you have client login credentials on file. If so, ensure there are controls and policies in place as to who can access this information and how it is securely maintained on your networks.
- Maintain an employee “off-boarding” checklist – When an employee departs, memorialize all the access controls that have been removed and the date it was removed.