SEC Staff Issue Risk Alert on Safeguarding Customer Records and Information at Branch Offices

Seward & Kissel LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Seward & Kissel LLP

Who may be interested: Registered Investment Advisers, Broker-Dealers.

Quick Take: The SEC’s Division of Examinations staff (Staff) recently issued a risk alert (Alert) highlighting deficiencies and trends that the Staff have observed relating to the safeguarding of customer records and information at branch offices of registered investment advisers and broker-dealers (collectively, firms).  The Alert follows recent proposed rule amendments that would require firms to adhere to enhanced compliance requirements relating to sensitive customer information. 

Under the Safeguards Rule of Regulation S-P, firms are required to adopt and implement policies and procedures reasonably designed to ensure the security, integrity and confidentiality of customer records and information, and to prevent unauthorized access to, or use of, customer records and information that could result in substantial harm or inconvenience to a customer. 

In the Alert, the Staff noted that many firms may be out of compliance with the Safeguards Rule. The Staff observed a trend in which many firms have policies and procedures in place for safeguarding customer records and information at their main offices but failed to implement those policies in branch offices. The Staff highlighted several key areas in which they observed deficiencies, including:

  • Inadequate due diligence and oversight of third-party service providers to branch offices, resulting in weak or misconfigured security settings that could allow unauthorized access of customer records and information;
  • Insufficient oversight of branch office email configuration which led to account takeovers, compromise of business emails and failure to capture email activity; 
  • Failure to apply data classification policies to identify and control electronic customer records at branch offices;
  • Lack of access controls (e.g., password complexity and multi-factor authentication requirements) for remote access to firm systems by branch offices, resulting in breaches; and
  • Failure to implement proper technology risk management policies and procedures to ensure proper system patching and vulnerability management at branch offices.

The Staff encouraged firms to consider their entire organization, including branch offices, when implementing policies and procedures for safeguarding customer records and information to ensure compliance with Regulation S-P.

The Alert is available here.

Written by:

Seward & Kissel LLP
Seward & Kissel LLP
Contact
more
less

Seward & Kissel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide