The SEC’s Office of Compliance Inspections and Examinations recently conducted examinations of privacy notices and safeguarding policies of SEC-registered investment advisers and broker-dealers adopted pursuant to Regulation S-P. As a result of these examinations, the SEC issued a Risk Alert identifying common deficiencies that are important to keep in mind when adopting, implementing and reviewing compliant privacy notices and effective safeguarding policies.
Regulation S-P requires financial institutions such as investment advisers and broker-dealers to adopt written policies and procedures to safeguard nonpublic personal client information. These policies must be reasonably designed to protect the confidentiality and security of nonpublic personal client information from any anticipated threats or hazards and any unauthorized access or use. The policies should address administrative, technical, and physical safeguards.
Investment advisers and broker-dealers must also provide initial and annual privacy notices to their clients describing the types of information collected and disclosed, the types of affiliated and non-affiliated third parties the information is disclosed to and, unless exempted from the opt-out notice requirement, an explanation of the client’s right to opt out of disclosure of nonpublic personal information to a non-affiliated third party. The privacy notice should also generally describe the firm’s safeguarding policies and procedures.
When conducting its examinations the SEC noted a few common deficiencies in regards to the privacy notices themselves. Mainly, there were some instances of initial and annual privacy notices not being provided to clients as required, or of opt-out notices not being included in the privacy notice when it should have been. In addition, the SEC found privacy notices that did not accurately reflect the firms’ safeguarding policies and procedures.
Most of the common deficiencies noted by the SEC involved safeguarding policies that were inadequate and not reasonably designed to safeguard nonpublic client information, or that did not appear to have been fully implemented. Inadequate safeguarding policies included policies that were incomplete or had blank spaces, that did not address safeguarding of client information on personal devices such as laptops, that did not address protecting nonpublic personal information in electronic communications through encryption, that did not prohibit employees from sending nonpublic personal information to unsecured out-of-network locations, that did not require inventories of all systems on which nonpublic personal information was maintained, and cyber security incident response plans that did not address role assignments or system vulnerabilities assessments.
Common deficiencies associated with safeguarding policies that were not fully implemented included the failure by firms to train employees regarding technical safeguards for electronic communications such as encryption and password protection, to monitor employees to ensure these technical safeguards are being followed, to require confidentiality provisions in contacts with outside vendors as stated in the firm’s safeguarding policies, to ensure client information is being stored in a secure physical location (and not in unlocked file cabinets in open offices), to ensure customer login credentials are being used only as permitted under the firm’s safeguarding policies, and to ensure access to client information is not retained by former employees after their departure in accordance with the firm’s safeguarding policies.
Investment advisers and broker-dealers are encouraged to take this opportunity to carefully review their own privacy notices and safeguarding policies, as well as to their implementation of those policies, to ensure they can avoid these common deficiencies and are in compliance with Regulation S-P.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.