The Risk Alert sets out common Regulation S-P compliance issues observed by OCIE staff. These include:
- Failure to provide privacy and opt-out notices, and inadequate explanation of the registrant’s policies and procedures
- Lack of written policies and procedures;
- Policies not reasonably designed to safeguard customer information, or inadequately implemented.
The OCIE staff found that some registrants’ employees maintained customer information on their personal laptops, although no policies and procedures were in place to safeguard the information. The Risk Alert also points to deficiencies in safeguarding personally identifiable information communicated electronically; the use of unsecure networks, and storage in unsecure locations; failure to require outside vendors to keep customer information confidential in violation of comply with the registrants’ information security policies and procedures; inadequate training for registrants’ employees on encryption, password-protection and the use of other methods to safeguard customer information; failure to maintain an inventory of all systems on which a registrant maintains customer information; the dissemination of customer login credentials more broadly than authorized by the registrants’ policies; failure to devise adequate incident response plans; and failure to curtail access for employees that had left the firm.