SEC Risk Alert on Safeguarding Customer Information at Branch Offices

April 27, 2023

What Happened?

On April 26, 2023, the SEC’s Division of Examinations (EXAMS) published a Risk Alert regarding the security of customer information at branch offices maintained by broker dealers and investment advisers. EXAMS notes that the Risk Alert emphasizes the need for firms to “[establish] written policies and procedures for safeguarding customer records and information at branch offices” pursuant to Regulation S-P. EXAMS staff observed that while many firms have implemented safeguarding policies and procedures at their main office, implementation at remote or branch offices can fall short of the following in exams:

• Vendor management issues, including:
  • Lack of due diligence and oversight of vendors at branch offices, as required by written policies and procedures; and
  • Weak or misconfigured security settings on branch office systems and applications due to lack of guidance or recommendations for selecting vendors.
• Email configuration issues, including:
  • Failure to manage email accounts for branch offices; and
  • Failure to adopt policies and procedures governing branch office email configurations, including failures to specify technical requirements to safeguard customer information.
• Data classification issues, including:
  • Lack of policies and procedures governing classification and control of customer records and information storage, or a failure to implement such policies at branch offices
• Access management issues, including:
  • Failure to enforce policies and procedures regarding access controls, such as password complexity and multi-factor authentication requirements, to branch offices.
• Technology risk issues, including:
  • Failure to apply firm policies and procedures to branch offices
  • Inadequate oversight of issues like “inventory management, patch management, and vulnerability management” at branch offices, resulting in vulnerabilities in some branch office systems (e.g. some branch offices lacked up-to-date system patches, or were running “end-of-life” systems).

What Does This Mean For Me?

Firms should assess their cybersecurity programs for compliance with Regulation S-P, especially as they govern the conduct of any remote offices that firms maintain.

Additionally, given the SEC’s continued focus on cybersecurity, advisers should consider conducting a comprehensive review of their cybersecurity programs. In the past fourteen months, the SEC has released three material cybersecurity proposals for investment advisers, including:

1. Proposed Cybersecurity Risk Management Rule;
2. Proposed Outsourcing Rule – which establishes requirements for vendor oversight; and
3. Proposed Amendments to Regulation S-P, including increased breach notification obligations.

We expect these proposals to be adopted. Regardless of the adoption timeline, firms must continue to comply with existing requirements, including Regulation S-P, and should also consider enhancing programs to prepare for upcoming regulatory changes.

The proposed amendments will require a significant amount of time and enhancement to existing cybersecurity practices. Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the proposed rules. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.