Bates News, Bates Research | 05-09-19

Safeguarding Client Information: OCIE Wants Firms to Increase Efforts

{image_1}

{image_2}

In a new Risk Alert, the SEC’s Office of Compliance Inspections and Examination (OCIE) highlighted privacy and information security issues raised during examinations of registered investment advisers and broker-dealers. The OCIE wants registrants to pay closer attention to all aspects of Regulation S-P, the SEC’s rule that obligates firms to safeguard client information. In addition, the OCIE wants firms to be more diligent about integrating their overall compliance efforts and to better communicate privacy policies to their retail investors—particularly as they relate to electronic and web-based platforms. As Bates Research described in a previous post, the OCIE is prioritizing the protection of retail investors (see its annual report on market risk). Securing customers’ personal information is at the heart of that protection. In this article, we takes a closer look at the new Alert and the OCIE’s emphasis on improving Regulation S-P compliance.

SEC Rules and OCIE Exam Results

As FINRA states, “protection of financial and personal customer information is a key responsibility and obligation of FINRA member firms.” Regulation S-P requires firms to enact written policies and procedures to protect the confidentiality, security and integrity of client information. The Safeguards Rule requires these policies to “address administrative, technical and physical safeguards.” Among other things, this rule obliges firms to protect against anticipated “threats or hazards” and against any unauthorized access to personal information. Further, the regulation requires firms to issue privacy notices to clients on firm information-sharing practices, to further explain customer rights to opt-out, to develop programs to prevent identity theft and to address potential risks of bad actors intent on stealing account assets or accessing a client account to manipulate the market.

OCIE reports that it found gaps in firm compliance with many of these obligations. The most common deficiencies included failures to have written policies and procedures related to the administrative, technical, and physical elements as required under the Safeguards Rule. But OCIE found many specific failings including, for example, failures in the provision of the required notices, inaccuracies in the content of the notices, failures to provide opt-out information on sharing non-public personal information, as well as policies containing blank spaces that registrants left incomplete.

Just as significant, OCIE reports that many of the written policies were “not reasonably designed” to protect client’s personal information. The agency highlighted a host of examples including failures (i) to protect customer information on personal devices; (ii) on the use of personally identifiable information (“PII”); (iii) in the training and monitoring on the use of unsecured networks and encryption in electronic communications; and (iv) related confidentiality when employing outside vendors. More broadly, the OCIE found examples of firms failing to keep an inventory of all the systems that may access PII; inadequate incident response plans; PII that was stored in unsecure locations, customer login credentials that had been too widely disseminated; and failures to ensure that former employees terminated access rights to PII after their departure.

CyberSecurity

The Regulation S-P issues addressed in the OCIE Risk Alert implicate broader concerns about protection of financial information and cybersecurity. As Bates has reported before, both FINRA and NASAA have addressed related issues (see here and here). Recently, SIFMA published a thinkpiece on battling current risks associated with cybersecurity for financial firms. It points out that “cybersecurity is not just about building defenses around a perimeter…but have expanded to include malicious or destructive attacks, that go beyond stealing money and data.”

The author concludes that firms must not only address the issue through compliance but through the development of a culture of cyber resiliency:

“Security is not just IT or compliance’s problem, it is everyone in the organization’s problem. And the key to mitigating cyber risk is having everyone in the organization concerned about cyber awareness. Financial services employees understand cyber resiliency is critical to meeting client expectations, delivering client services and safeguarding client data…There is evidence to show that there is a benefit to all parties if they work together—collaboration, not silos—to protect the firm from cyber attacks and the reputational risk from an incident. Training and ongoing communication changes the mentality of employees.”

The underlying message of the OCIE’s Risk Alert is that firms must engage in a deep dive to ensure that adequate firm policies exist and are being implemented in a way that can effectively address the risk. SIFMA’s opinion piece takes this a step further, arguing effective risk management requires cultural change that supports but goes beyond integrating administrative, technical and physical safeguards under Regulation S-P.

Conclusion

When the OCIE sends out an alert, it is providing information to help firms adopt and implement effective policies and procedures under the applicable regulation—in this case Regulation S-P. The Alert is also a strong message that the agency has made the subject a priority, thus increasing the likelihood that enforcement efforts are not far behind.