The SEC’s new Risk Alert provides valuable insight as to what the OCIE wants to see broker dealers and investment advisers accomplish with their privacy notices and their cybersecurity policies and procedures. The SEC wants this written documentation to be comprehensive, to accurately reflect the registrant’s practices, and to be implemented effectively throughout their business. Broker dealers and investment advisers can, and should, use this Risk Alert to benchmark their own specific practices against the SEC’s expectations.
In the April 16, 2019 Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) outlines privacy and cybersecurity compliance issues identified in their examinations of broker dealers and investment advisers over the last two years. They found that broker dealers and investment advisers did not have privacy notices that were both accurate and met Regulation S-P’s requirements. The procedures that were in place did not adequately protect customers’ nonpublic financial information in several specific ways. And registrants’ written policies and procedures were not customized for their business, did not comprehensively address cybersecurity and did not accurately reflect their practices.
The key takeaway by the OCIE is that registrants should review their written policies and procedures, including their actual implementation of them. In light of this, we recommend that broker dealers and investment advisers benchmark their privacy and cybersecurity written policies, and their implementation of such policies, against the SEC’s expectations set forth in the Risk Alert as well as the SEC’s various guidance on cybersecurity published since its first cybersecurity risk alert in 2014. This can be approached efficiently using a questionnaire that is designed with the SEC’s stated expectations in mind.
The following are common deficiencies that the OCIE reported in its April 2019 Risk Alert. Broker dealers and investment advisers should review each of these, and evaluate whether their own practices in these areas are sound:
- Personal devices. Policies and procedures were not reasonably designed to safeguard customer information stored by employees on their personal devices.
- Encryption of email. Policies and procedures did not address the inclusion of customer personally identifiable information (PII) in electronic communications, in particular the encryption of emails that contain PII.
- Employee training. Failure to provide adequate employee training to employees related to transmission of customer information in an encrypted, password-protected format, and failure to monitor if such policies were being followed by employees.
- Controls in data loss. Failure to adopt policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of a firm’s networks.
- Third-party vendors. Failure to contractually bind outside vendors to protect customer information appropriately.
- Inventorying. Failure to inventory all systems on which customer PII in maintained.
- Data breach response. Incident response plans did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
- Physical storage of PII. Storage of customer PII in unsecure physical locations, such as in unlocked file cabinets in open offices.
- Need to Know. Dissemination of customer login credentials to employees who did not have a legitimate need to have them.
- Departing employees. Failure to terminate system access of former firm employees.
Like prior OCIE risk alerts, this Risk Alert provides a road map for registered investment advisers and broker dealers to follow when developing or evaluating their data privacy and cybersecurity procedures. They now have additional insight as to the types of issues that OCIE staff will look for when conducting an examination. The Risk Alert also provides registrants, their CCOs and counsel with the raw materials to develop a thorough review program for a firm’s data privacy and cybersecurity policies and procedures. CCOs and compliance staff should ensure that their annual compliance reviews are updated to reflect these issues and should consult with counsel to help evaluate their written policies and procedures, and their implementation of them, in light of OCIE’s findings.
Members of MoFo’s Privacy and Data Security practice group have regularly assisted broker dealers and investment advisers to benchmark, form, and mature their cybersecurity programs, including their written privacy notices and their cybersecurity policies and procedures.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved