SEC Warns of Key Risks for Client Privacy and Data Security
The SEC’s Office of Compliance Inspections and Examinations has found various deficiencies in how broker-dealers and investment advisors safeguard client data and handle privacy and opt-out notices, the regulator says.
The SEC’s exam unit has issued a risk alert tied to issues it has unearthed over the past two years related to the SEC’s Regulation S-P, which covers security and privacy of client data. The OCIE’s examiners found instances of companies entirely failing to provide initial and annual privacy notices as well as opt-out notices to their clients as required by the rule, as well as examples of notices not actually reflecting the firm’s policies and procedures, according to the risk alert.
Some firms didn’t have any polices or procedures related to the data safeguard rule, meanwhile, and at some companies the written policies and procedures “contained numerous blank spaces designed to be filled in by registrants,” the OCIE says.
Furthermore, examiners found various deficiencies in how the firms implemented policies and procedures, according to the risk alert. For example, some firms failed to address safeguarding client data on their staff’s personal devices and within electronic communications, the OCIE says. Some companies also failed to properly train their employees on encryption, password protection and other safeguarding measures, according to the risk alert.
In addition, examiners found cases in which the firms failed to ensure safeguarding of client data by outside vendors or failed to identify all the systems that had customers’ personally identifiable information (PII), the OCIE says. Other deficiencies included instances of storing PII in unsecured physical locations, inadequate incident response plans and failure to cut off access to customer data from departing employees, according to the risk alert. The OCIE suggests that firms review their written polices and procedures as well as how they are implemented to ensure compliance.