ARTICLE
5 May 2023

SEC Staff Finds Safeguarding Policies And Procedures Lacking At Branch Offices

KG
K&L Gates LLP

Contributor

K&L Gates LLP logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
Explore Firm Details
On 26 April, 2023, shortly after the U.S. Securities and Exchange Commission proposed rule amendments that would require broker-dealers and investment advisers to comply with ...
United States Technology
Keri E. Riemer

On 26 April, 2023, shortly after the U.S. Securities and Exchange Commission (SEC) proposed rule amendments that would require broker-dealers and investment advisers (collectively, firms) to comply with enhanced compliance requirements relating to sensitive customer information, the SEC's Division of Examinations (staff) issued a risk alert highlighting the need for firms to have written policies and procedures for safeguarding customer records and information at their branch offices.

Under Regulation S-P, firms must adopt written policies and procedures intended to, among other things, help ensure the security and confidentiality of customer records and information and protect against anticipated threats or hazards to the security or integrity of such records and information. In assessing compliance with this obligation, the staff observed that many firms did not have adequate compliance programs for their branch offices. In particular, the staff observed the following (among other failures and weaknesses):

Vendor Management

While firms use vendors to provide certain services (e.g., cybersecurity and technology operations), many did not ensure that branch offices performed proper due diligence and vendor oversight.

Email Configuration

Firms lacked policies and procedures addressing branch office email configurations, which in some instances, resulted in account takeover or business email compromise.

Data Classification

Although many maintained data classification policies and procedures, firms did not ensure that branch offices complied with these policies, resulting in a failure to identify and control customer records.

Access Management

In some cases, password complexity and multi-factor authentication requirements for remote access to firm systems were not required for branch offices, resulting in breaches.

Technology Risk

While many firms implemented procedures requiring inventory management, patch management, and vulnerability management, some did not apply these procedures to branch offices, causing them to be prone to compromise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Keri E. Riemer
Keri E. Riemer
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More