Earlier this week, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a risk alert for Investment Advisers and Broker-Dealers regarding compliance issues related to Regulation S-P – Privacy Notices and Safeguard Policies.
The key areas identified by the OCIE were failure of firms to provide clients with privacy and opt-out notices, lack of policies and procedures and policies not implemented or reasonably designed to safeguard customer records and information.
Recent SEC examinations identified the following areas as most frequent compliancy deficiencies.
What steps should your firm be taking?
Personal Devices: Ensure that employees do not regularly store or maintain customer information on their personal laptop without having policies and procedures to address how these devices are to be properly configured to safeguard the customer information.
Electronic Communication: Ensure your firm has policies and procedures to address the inclusion of customer personally identifiable information (PII) in electronic communication.
Training and monitoring: Maintain policies and procedures that require customer information to be encrypted, password-protected, and transmitted using only firm approved methods. Secondly, provide adequate training and monitoring on these procedures to ensure they are being properly adhered to.
Unsecure networks: Implement policies & procedures to prohibit employees from sending customer PII to unsecure locations outside of the firm’s network.
Outside vendors: Require outside vendors to contractually agree to keep customers’ PII confidential.
PII inventory: Maintain an inventory and identify all systems on which customer PII is maintained.
Incident response plans: Maintain a written incident response plan that identifies and addresses role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
Unsecure physical locations: Ensure customer PII is stored in secure physical locations.
Login credentials: Ensure customer login credentials are not disseminated to more employees than permitted under firms’ policies and procedures.
Departed employees: Maintain controls to ensure former employees do not retain access rights after their departure.
For more information please visit: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf
#Compliance #OneStepAhead #GetTier1Net