On April 16, 2019, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing numerous issues it found in its recent examinations of SEC-registered investment advisers and broker-dealers’ privacy practices. Some of the most common deficiencies the agency found were firms’ failure to give their customers initial or annual privacy notifications, or to notify them that they could opt out of sharing their non-public personal information with non-affiliated third parties.
Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers, requires that entities provide to customers a clear and conspicuous notice of its privacy practices, including the customer’s right to opt out of some sharing of the customer’s personal information to nonaffiliated third parties. Customers must receive notice when the entity-customer relationship is established and every year thereafter for so long as the relationship continues, unless an exception to the annual requirement exists.
In addition, Regulation S-P requires entities to develop and implement administrative, technical, and physical safeguards for the protection of customer information. In the OCIE’s recent investigations, not only were firms found to have not been providing its customers the required notice, but many firms also lacked internal policies and procedures for administrative, technical, and physical information safeguards. For some that had the requisite policies and procedures in place, they either had not been implemented or they were not sufficient to reasonably safeguard customer records and information.
Other issues the OCIE found included a lack of policies or procedures (i) to safeguard customers’ information on employees’ personal computers, (ii) to stop employees from regularly sending unencrypted emails to customers containing personal information, (iii) to prevent the information from being sent to unsecured locations outside the firms’ networks, and (iv) related to incident response plans. The Alert suggests that these plans should have sufficient specificity, including role assignments for plan implementation, system assessments, and incident management.
The Alert also suggests that firms should maintain an inventory of customer information, which would identify all systems where customer information is used or stored and the categories of personal information kept. The Alert does not provide specific guidance as to the specificity of the inventory but appears to require it so that firms may develop better policies and procedures to protect customer information.
The Alert demonstrates that the SEC is going to become a major player in enforcing privacy regulations, and investment advisers and broker-dealers registered with the SEC should be cognizant of their responsibilities and required procedures to avoid large monetary penalties. In the wake of the SEC’s increased scrutiny of the financial industry’s privacy and security practices, investment advisers and broker-dealers should review their written policies and procedures regularly to ensure they are in compliance with Regulation S-P and have a monitoring program in place to ensure compliance with internal policies and procedures as well as Regulation S-P.
This alert was co-authored by members of our Data Privacy & Information Governance Group: Gregory Leighton (firstname.lastname@example.org; 312-269-5372) and Bari Nathan (email@example.com; 312-269-8044) and our Fund Formation & Investment Management Group: Michael Gray (firstname.lastname@example.org; 312-269-8086), Wesley Nissen (email@example.com; 312-269-5697) and David Presser (firstname.lastname@example.org; 312-269-1715).
If you have any questions related to this alert or would like additional information, please reach out to your Neal Gerber Eisenberg contact or the authors.