CYBERSECURITY RISK ALERT: SEC Regulation S-P Risk Alert

Today, April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a risk alert regarding compliance issues related to Regulation S-P. The focal points identified by the OCIE were the failure to provide customers with privacy and opt-out notices, as well as the failure to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

The OCIE also commented on the lack of sufficient safeguards despite having written policies and procedures were in place. Among the common areas of insufficiency were:

  • Policies and procedures failing to address safeguards for customer PII on personal devices
  • Electronic communications
  • Insufficient training is being provided and firms are failing to monitor employee compliance with policies
  • Failing to prohibit employees from sending and receiving customer PII using unsecure networks
  • Failing to sufficiently manage PII held by third-party vendors
  • PII inventory being insufficiently monitored and maintained
  • Incident response plans that aren’t addressing important areas
  • Customer PII being stored in unsecure physical locations
  • Misuse or mishandling of customer login credentials
  • Departed employees maintaining access to firm systems and customer information after departure

For additional information, please visit: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf