Helpful Safeguards Information for Investment Advisers and Broker-Dealers – Straight From the Examiners!

Sands Anderson PC

Sands Anderson PC

When it comes to information security, the Safeguards Rule of Regulation S-P (Safeguards Rule) requires SEC-registered investment advisers and brokers and dealers (Registrants) to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information, and that are reasonably designed to:

(i) Insure the security and confidentiality of customer records and information;

(ii) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(iii) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) provided a Risk Alert that included a list of Regulation S-P compliance issues identified in examinations of Registrants over the last 2 years.

In addition to other issues, OCIE noted the following real-life examples of Registrants appearing to fall short of the Safeguards Rule:

  1. Policies and procedures not reasonably designed to safeguard customer information on personal devices;
  2. Policies and procedures not addressing the inclusion of customer PII in electronic communications;
  3. Policies and procedures concerning encryption, password protection, and transmission of customer information not being supported by adequate employee training and policy monitoring;
  4. Policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of the Registrant’s networks;
  5. Registrant not following its own policies and procedures regarding outside vendors;
  6. Policies and procedures not identifying all systems on which customer information is maintained;
  7. Maintaining inadequate incident response plans;
  8. Storing customer PII in unsecure physical locations;
  9. Disseminating customer login credentials to more employees than permitted under Registrant’s policies and procedures; and
  10. Failing to terminate access rights for former employees after departure.

While the list of examples provided by OCIE does not address all risks and issues Registrants face, it does provide helpful information Registrants can use when reviewing their own policies and procedures for compliance with the Safeguards Rule. In addition to reviewing their policies and procedures, Registrants should review the implementation of their policies and procedures to ensure compliance with the Safeguards Rule.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sands Anderson PC | Attorney Advertising

Written by:

Sands Anderson PC

Sands Anderson PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.