The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has issued a Risk Alert that provides an overview of the most common deficiencies or weaknesses in investment adviser and broker-dealer compliance with the Safeguards Rule, Regulation S-P, based on recent examinations. Placed in context with prior OCIE Risk Alerts concerning cybersecurity practices and Regulation S-P compliance, this most recent Risk Alert suggests that OCIE continues to examine registrants broadly across their respective enterprises for Regulation S-P compliance risks, and to tie their stated policies and procedures to actual practice.
However, while prior Risk Alerts had focused on evolving industry practices, hallmarks of robust cybersecurity policies and procedures, and noted areas of concern, this Risk Alert focuses explicitly on common deficiencies and weaknesses. In so doing, OCIE has developed a laundry list of specific compliance deficiencies related to how firms are handling customer information in practice and how a firm’s information security program should support the safeguarding of customer information. In this regard, it also signals OCIE’s expectations for further maturation of cybersecurity policies and procedures to comply with Regulation S-P.
OCIE intends the Risk Alert to spur registered investment advisers and broker-dealers to review their written policies and procedures, as well as the implementation of those policies and procedures, since the Risk Alert specifically cites implementation failures and deficiencies as a key area of concern.
In addition to policies and procedures that it views as not reasonably designed to safeguard customer records and information, OCIE highlights the lack of policies and procedures designed to comply with Regulation S-P, including ones that simply restate the Safeguards Rule but do not include policies and procedures that address administrative, technical, and physical safeguards. Similarly, OCIE identifies incomplete or boilerplate policies and procedures that have not been completed and finalized by the registrant as similarly deficient. The Risk Alert also highlighted common deficiencies related to Initial, Annual, and Opt-Out Privacy Notices as particularly widespread and troubling.
Specific deficiencies also suggest that OCIE is focused on remote access and personal device usage, as well as encryption of communications, credentials sharing and password policies, employee training and monitoring, vendor risk management, network and physical security, and incident response procedures.