On April 16, 2019, OCIE issued a risk alert in connection with issues OCIE identified during examinations in the past two years regarding Regulation S-P. The key takeaways from the alert are for advisers to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are in compliance with the relevant regulatory requirements. Below are the most frequent deficiencies that OCIE staff has identified pertaining to Regulation S-P compliance issues.
Privacy and Opt-Out Notices. OCIE staff observed registrants that did not provide Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to their customers. When such notices were provided to customers, the notices did not accurately reflect firms’ policies and procedures. The staff also noted Privacy Notices that did not provide notice to customers of their right to opt out of the registrant sharing their nonpublic personal information with non-affiliated third parties.
Lack of policies and procedures. OCIE staff observed registrants that did not have written policies and procedures as required under the Safeguards Rule. For example, firms had documents that restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards. The staff observed written policies and procedures that contained numerous blank spaces designed to be filled in by registrants. There were also firms with policies that addressed the delivery and content of a Privacy Notice, but did not contain any written policies and procedures required by the Safeguards Rule.
Policies not implemented or not reasonably designed to safeguard customer records and information. OCIE staff observed registrants with written policies and procedures that did not appear implemented or reasonably designed to (1) ensure the security and confidentiality of customer records and information, (2) protect against anticipated threats or hazards to the security or integrity of customer records and information, and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers. For example, staff observed:
- Personal devices. Policies and procedures that did not appear reasonably designed to safeguard customer information on personal devices. For example, staff observed registrants’ employees who regularly stored and maintained customer information on their personal laptops, but the registrants’ policies and procedures did not address how these devices were to be properly configured to safeguard the customer information.
- Electronic communications. Policies and procedures that did not address the inclusion of customer personally identifiable information (“PII”) in electronic communications. For example, staff observed registrants that did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails to customers containing PII.
- Training and monitoring. Policies and procedures that required customer information to be encrypted, password-protected, and transmitted using only registrant-approved methods were not reasonably designed because employees were not provided adequate training on these methods and the firm failed to monitor if the policies were being followed by employees.
- Unsecure networks. Policies and procedures that did not prohibit employees from sending customer PII to insecure locations outside of the registrants’ networks.
- Outside vendors. Registrants failed to follow their own policies and procedures regarding outside vendors. For example, staff observed registrants that failed to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the registrant’s policies and procedures.
- PII inventory. Policies and procedures that did not identify all systems on which the registrant maintained customer PII. Without an inventory of all such systems, registrants may be unaware of the categories of customer PII that they maintain, which could limit their ability to adopt reasonably designed policies and procedures and adequately safeguard customer information.
- Incident response plans. Written incident response plans that did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
- Unsecure physical locations. Customer PII that was stored in insecure physical locations, such as in unlocked file cabinets in open offices.
- Login credentials. Customer login credentials that had been disseminated to more employees than permitted under firms’ policies and procedures.
- Departed employees. Instances where former employees of firms retained access rights after their departure and therefore could access restricted customer information.