Helpful Safeguards Information for Investment Advisers and Broker-Dealers – Straight From the Examiners!

Cybersecurity & Technology

When it comes to information security, the Safeguards Rule of Regulation S-P (Safeguards Rule) requires SEC-registered investment advisers and brokers and dealers (Registrants) to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information, and that are reasonably designed to:

(i) Insure the security and confidentiality of customer records and information;

(ii) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(iii) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

On April 16, 2019, the SEC's Office of Compliance Inspections and Examinations (OCIE) provided a Risk Alert that included a list of Regulation S-P compliance issues identified in examinations of Registrants over the last 2 years.

In addition to other issues, OCIE noted the following real-life examples of Registrants appearing to fall short of the Safeguards Rule:

  1. Policies and procedures not reasonably designed to safeguard customer information on personal devices;
  2. Policies and procedures not addressing the inclusion of customer PII in electronic communications;
  3. Policies and procedures concerning encryption, password protection, and transmission of customer information not being supported by adequate employee training and policy monitoring;
  4. Policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of the Registrant's networks;
  5. Registrant not following its own policies and procedures regarding outside vendors;
  6. Policies and procedures not identifying all systems on which customer information is maintained;
  7. Maintaining inadequate incident response plans;
  8. Storing customer PII in unsecure physical locations;
  9. Disseminating customer login credentials to more employees than permitted under Registrant's policies and procedures; and
  10. Failing to terminate access rights for former employees after departure.

While the list of examples provided by OCIE does not address all risks and issues Registrants face, it does provide helpful information Registrants can use when reviewing their own policies and procedures for compliance with the Safeguards Rule. In addition to reviewing their policies and procedures, Registrants should review the implementation of their policies and procedures to ensure compliance with the Safeguards Rule.

Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team. If you have any questions about this post or any other information security issues, please reach out to Bobby or a member of the Cybersecurity and Technology Team.  

 

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek