The SEC’s Office of Compliance Inspections and Examinations (colloquially known as “OCIE” or just the “SEC” to many market participants) recently issued another risk alert. The topic this time was privacy policies under Regulation S-P. Below are examples of the most common deficiencies or weaknesses identified by OCIE staff in connection with the Safeguard Rule. If you have any questions about the risk alert or want to discuss your own privacy and data protection policies, contact CCO Tech here and we’ll gladly help you.
Privacy and Opt-Out Notices
OCIE found that many registrants failed to provide:
- Initial Privacy Notices when an account is created,
- Annual Privacy Notices (or notice that there was no change in the policy), which many firms send with their amended Form ADV Part 2A (the brochure), and
- Opt-out Notices (i.e., giving clients the ability to opt-out of letting you share their information shared with other, nonaffiliated third parties).
For some registrants that did provide these notices, OCIE found that the information in the notices did not reflect the policies and practices of the registrant.
In our increasingly digitized lives, privacy and cybersecurity cannot be treated as a mere administrative task that registrants must follow to comply with the law. Registrants need to understand that protecting their customers or clients’ data is essential to maintaining a good business relationship. We recommend that registrants review their privacy policies at least annually and get a third-party to review them every few years. Further, the delivery of privacy policies should be included in your annual compliance calendar along with testing of whether your delivery policies were followed, preferably within a few months after the delivery of the notice.
Finally, we note that the “Fixing America’s Surface Transportation Act of 2015” (the “FAST Act”) included an exception for investment advisers regarding their annual delivery of privacy notices under Section 503 of the Gramm-Leach-Blilely Act (the “GLBA”). As amended, Section 503(f) an investment adviser is not required to deliver an annual privacy notice if it provides nonpublic personal information only in accordance with the GLBA and it has not changed its privacy policies since they were last disclosed to investors.
Lack of policies or procedures or failure to implement procedures concerning privacy and data protection
OCIE also found that many registrants did not have written policies and procedures related to the administration of privacy and data protection or technical and physical safeguards and controls relating to confidential information, or the procedures they did have were weak. One major issue was the use of generic or incomplete policies and procedures. OCIE found some registrants had cut and pasted policies from some source without completing the document or ensuring that it reflected the registrant’s actual business practices.
Unfortunately, we often see instances where registrants let their policies and procedures become outdated or fail to tailor them at the time of implementation. This is especially true for state-registered investment advisers that transition to SEC-registration and its accompanying rules and regulations. These registrants need to understand that their old policies and procedures may not comply with SEC rules, such as Regulation S-P.
Although most registrants review their policies and procedures annually, it’s a good practice to have a third party review your compliance manual at least every few years. Often, a fresh set of eyes notice issues or raise questions that cause a registrant to re-evaluate their practices or written procedures. In many cases, we are able to help registrants reduce the overall page count of their compliance manual while simultaneously improving the effectiveness and applicability of the written policies and procedures.
For some registrants that did have adequate written policies and procedures, OCIE found that those procedures were not being implemented. The primary areas of weak controls included:
- Employees’ personal devices. As employees, we live in a bring-your-own-device world (gone are the days of getting your employer-issued
BlackberryiPhonemobile telecommunications device) and we are expected to remain connected to our employer-mothership. As a result, many of us have access to client information on our mobile devices. But many policies and procedures lack controls to protect that information. If you issue laptops computers to your employees, you need to encrypt those hard drives, have security software installed, and have mechanisms in place to both protect client information or delete it in the event of a lost, stolen, or missing laptop. If you allow employees to use their personal laptop or mobile device for work purposes, then you need to ensure those devices have security software installed and you have the ability to disconnect the device from the employee’s work accounts (e.g., email, network drives, etc.). You should also consider policies that prohibit employees from storing client information on their personal device without your firm having the ability to remove that information. - Electronic communications. OCIE found that many registrants did not have controls to prevent personally identifiable information (“PII”) from being sent via unencrypted emails or to unsecure locations. If your employees manage PII as part of their jobs, you must encrypt all their emails or limit such data to client portals and restrict where and to whom employees can send such information. Once you have your controls setup, train your people on how to use them, monitor if they are using them (e.g., email or portal access reviews), and quickly address any issues.
- Vendor Management. Even if a registrant had good policies and procedures and followed them, some failed to require such procedures from their vendors. Any vendor that touches PII or confidential information should contractually agree to protect it. And those vendors should have policies and procedures in place to ensure that they are maintaining that confidentiality and prove to you that they are following them.
- Cybersecurity Reviews and Inventory. As OCIE noted, registrants need to document their cyber systems and who has access to PII or confidential information. This documentation should be reviewed annually as part of a comprehensive cybersecurity review. If you need help with such a review, start with FINRA’s cybersecurity checklist, or contact us and we’ll help you. Part of your review and inventory should be an Incident Response Plan. We recommend registrants document how they would deal with a data breach and other cyber events. You could even identify in advance those vendors you would use if you ever did suffer a breach. We also recommend an annual tabletop exercise so that key personnel understand their roles and responsibilities under the plan. We also recommend that you contact your insurance agent to see if it has materials that you can use in developing your plan.
As OCIE’s risk alert highlights, physical and cybersecurity must be taken seriously by all SEC-registrants. We know it can be difficult to implement appropriate procedures and controls. But in our experience, your employees will understand the need to protect this data, especially since many of us have had our personal data compromised. Protecting your client data and systems is key to maintaining trust with your clients. If you need help, contact us; we’re here to help you manage your compliance program so that you can focus on taking care of your clients.
