The SEC’s Division of Examinations staff recently issued a risk alert highlighting deficiencies and trends that the Staff have observed relating to the safeguarding of customer records and information at branch offices of registered investment advisers and broker-dealers. The Alert follows recently proposed rule amendments that would require firms to adhere to enhanced compliance requirements relating to sensitive customer information.
Under the Safeguards Rule of Regulation S-P, firms are required to adopt and implement policies and procedures reasonably designed to ensure the security, integrity, and confidentiality of customer records and information, and to prevent unauthorized access to, or use of, customer records and information that could result in substantial harm or inconvenience to a customer.
Examination staff noted several common issues related to branch office governance, which included:
Vendor Management: Staff found that many firms did not appear to reasonably ensure that their branch offices performed proper due diligence and oversight of their vendors, as required by the firm’s policies and procedures.
Technology Risk: Staff found that, although some firms maintained reasonable technology policies and procedures for their main office, such as email management, inventory management, patch management, and vulnerability management, they did not apply those same policies and procedures in connection with their branch offices.
Data Classification: Staff observed that while firms typically maintained data classification written policies and procedures to identify where customer records and information were stored electronically, firms did not always apply these policies and procedures to branch offices.
Access Management: Staff observed that firms typically maintained policies and procedures requiring password complexity and multi-factor authentication for remote access to firm systems for the main office; however, they did not require the same or similar controls for branch offices.
In light of this risk alert, broker-dealers and investment advisers should immediately review their policies and procedures for their branch offices and make any necessary changes to ensure compliance with the issues raised in the alert.
To read the full Risk Alert, click here.