• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC Issues Risk Alert Noting Common Regulation S-P Compliance Issues

April 18, 2019 By Kate Hanniford

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has issued a Risk Alert that provides an overview of the most common deficiencies or weaknesses in investment adviser and broker-dealer compliance with the Safeguards Rule, Regulation S-P, based on recent examinations.  Placed in context with prior OCIE Risk Alerts concerning cybersecurity practices and Regulation S-P compliance, this most recent Risk Alert suggests that OCIE continues to examine registrants broadly across their respective enterprises for Regulation S-P compliance risks, and to tie their stated policies and procedures to actual practice.

However, while prior Risk Alerts had focused on evolving industry practices, hallmarks of robust cybersecurity policies and procedures, and noted areas of concern, this Risk Alert focuses explicitly on common deficiencies and weaknesses.  In so doing, OCIE has developed a laundry list of specific compliance deficiencies related to how firms are handling customer information in practice and how a firm’s information security program should support the safeguarding of customer information.  In this regard, it also signals OCIE’s expectations for further maturation of cybersecurity policies and procedures to comply with Regulation S-P.

OCIE intends the Risk Alert to spur registered investment advisers and broker-dealers to review their written policies and procedures, as well as the implementation of those policies and procedures, since the Risk Alert specifically cites implementation failures and deficiencies as a key area of concern.

In addition to policies and procedures that it views as not reasonably designed to safeguard customer records and information, OCIE highlights the lack of policies and procedures designed to comply with Regulation S-P, including ones that simply restate the Safeguards Rule but do not include policies and procedures that address administrative, technical, and physical safeguards.  Similarly, OCIE identifies incomplete or boilerplate policies and procedures that have not been completed and finalized by the registrant as similarly deficient.  The Risk Alert also highlighted common deficiencies related to Initial, Annual, and Opt-Out Privacy Notices as particularly widespread and troubling.

Specific deficiencies also suggest that OCIE is focused on remote access and personal device usage, as well as encryption of communications, credentials sharing and password policies, employee training and monitoring, vendor risk management, network and physical security, and incident response procedures.

Filed Under: Cyber Risk, Data Protection, Data Security, Financial Privacy, Privacy Policy, Regulation

About Kate Hanniford

Kate Hanniford is a member of the Technology & Privacy Group and Cybersecurity Preparedness & Response Team. She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.