The Securities and Exchange Commission is warning investment firms to step up their game when it comes to following the agency’s privacy rules. In a Risk Alert issued by the Office of Compliance Inspections and Examinations (OCIE), a laundry list of compliance “deficiencies or weaknesses” were identified in recent examinations of SEC-registered investment advisers and broker dealers.

Regulation S-P or the Safeguards Rule – the SEC’s primary rule regarding privacy – requires investment firms to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” 

The agency’s routine examination process found the “most common” compliance shortcomings to include:

• Not providing required Privacy Notices, Annual Privacy Notices and OptOut Notices to customers or using flawed “notices [that] did not accurately reflect firms’ policies and procedures.”
• Failure to “have written policies and procedures as required by the Safeguards Rule.” During inspections, OCIE found some investment firms had “numerous blank spaces designed to be filled in by registrants.”
• Storing client information on personal devices without policies and procedures to safeguard the information;
• Using unencrypted email to send personally identifiable information or “PII”;
• Sending PII to “insecure locations outside of the registrants’ networks;
• Flawed incident response plans that “did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.”
• Storing customer PII in “unlocked file cabinets in open offices.”

The agency said it “encourages registrants to review their written policies and procedures, including implementation of those policies and procedures, to ensure compliance with the relevant regulatory requirements.”