SEC Examinations Division Issues Risk Alert on Safeguarding Customer Records and Information at Branch Offices

The Securities and Exchange Commission (SEC) recently issued a risk alert focusing on the safeguarding of customer records and information at branch offices of registered investment advisers (RIAs) and broker-dealers. This move comes as the SEC's Examinations Division (EXAMS) identifies growing concerns over the protection of customer data within the financial services industry. In this update, we will discuss the key takeaways from this risk alert and the necessary steps that branch offices should take to ensure the safety of their clients' sensitive information.

Key Takeaways From the Risk Alert

• The EXAMS staff observed that many RIAs and broker-dealers may be out of compliance with the Safeguards Rule of Regulation S-P which requires adoption and implementation of written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. The staff spotted scenarios where RIAs and broker-dealers implemented policies and procedure for safeguarding customer records and information for their main office but failed to replicate practice for branch offices.
• EXAMS identified several areas of concern regarding safeguarding customer records and information:
  • Weak or inconsistent access controls
  • Insufficient data encryption
  • Inadequate policies and procedures for safeguarding customer information
  • Lack of ongoing employee training on information security
  • Inadequate supervision of third-party vendors handling customer information
• The risk alert emphasizes the importance of securing customer records and information, as well as the potential consequences of failing to do so. Unauthorized access to client data can lead to severe financial and reputational damage for both the firm and its customers.

Recommendations for Improving Safeguards

RIAs and broker-dealers should take the risk alert on safeguarding customer records and information seriously. Implementing remedial measures to address the areas of concern identified in the risk alert can help RIAs and broker-dealers avoid potential regulatory penalties and protect their clients' sensitive information. Here are some remedial steps to consider:

• Review existing policies and procedures: Carefully review existing policies and procedures related to safeguarding customer information. This includes ensuring that they are up-to-date, comprehensive, and in compliance with applicable regulations, such as Regulation S-P.
• Strengthen access controls: Implement robust access controls that limit access to customer data based on employees' roles and responsibilities. This may include using multi-factor authentication, setting up strong password requirements, and regularly reviewing and updating user access privileges.
• Encrypt sensitive data: Use strong encryption methods to protect customer data, both in transit and at rest. This includes utilizing secure communication channels, such as HTTPS, and employing encryption tools to protect stored data.
• Enhance employee training: Provide ongoing information security training for all employees, emphasizing the importance of safeguarding customer information and adhering to the company's policies and procedures. Training should cover topics such as phishing attacks, secure password management and reporting suspicious activities.
• Monitor third-party vendors: Conduct thorough due diligence on third-party vendors that handle customer information and ensure they have appropriate security measures in place. This includes regularly reviewing and monitoring their security practices and ensuring they adhere to contractual obligations related to data protection.
• Conduct regular risk assessments: Perform regular risk assessments to identify potential vulnerabilities in data protection measures and address them proactively. This may involve engaging external consultants or auditors to evaluate the firm's security posture and provide recommendations for improvement.
• Develop an incident response plan: Establish a clear incident response plan that outlines the steps to be taken in the event of a data breach or other security incident. This should include identifying key personnel responsible for responding to incidents, procedures for reporting and escalating issues, and a plan for notifying affected clients and regulators, if necessary.
• Maintain an audit trail: Keep detailed records of all activities related to safeguarding customer records and information. This includes documenting employee training, risk assessments, vendor management, and any incidents that may have occurred. Maintaining an audit trail helps demonstrate compliance with regulatory requirements and facilitates a timely response to any regulatory inquiries.

By taking a proactive approach to data security, branch offices of RIAs and broker-dealers can minimize the risk of unauthorized access, enhance the security of their customer records and information, and demonstrate their commitment to maintaining a strong data protection program. This not only helps to mitigate potential regulatory penalties but also strengthens client trust in the firm's ability to safeguard their sensitive information.

Our investment management attorneys are versed in counseling RIAs and broker-dealers on complex regulatory and compliance challenges as they grow and operate their businesses. Reach out to a member of the Faegre Drinker investment management team if you have any questions.