The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission has issued a risk alert concerning privacy notices and protections in connection with Regulation S-P, 17 CFR §248, Subpart A and related regulatory releases, in order to assist advisers and broker-dealers in adopting and implementing to adopt effective policies and procedures to safeguard customer records and information.
The Risk Alert sets out common Regulation S-P compliance issues observed by OCIE staff. These include:
- Failure to provide privacy and opt-out notices, and inadequate explanation of the registrant’s policies and procedures
- Lack of written policies and procedures;
- Policies not reasonably designed to safeguard customer information, or inadequately implemented.
The OCIE staff found that some registrants’ employees maintained customer information on their personal laptops, although no policies and procedures were in place to safeguard the information. The Risk Alert also points to deficiencies in safeguarding personally identifiable information communicated electronically; the use of unsecure networks, and storage in unsecure locations; failure to require outside vendors to keep customer information confidential in violation of comply with the registrants’ information security policies and procedures; inadequate training for registrants’ employees on encryption, password-protection and the use of other methods to safeguard customer information; failure to maintain an inventory of all systems on which a registrant maintains customer information; the dissemination of customer login credentials more broadly than authorized by the registrants’ policies; failure to devise adequate incident response plans; and failure to curtail access for employees that had left the firm.