The SEC’s Office of Compliance Inspections and Examinations has published a Risk Alert calling out advisers and broker-dealers for their failures to protect personal information. Based on deficiencies identified over the last 2 years, the SEC found failures related to privacy notices, policies and procedures, and physical safeguards. The SEC faulted registrants for failing to deliver initial and annual privacy notices or for delivering notices that did not accurately reflect policies and procedures. The SEC found firms that completely failed to adopt policies and procedures by simply restating the Safeguards Rule. Other firms either adopted weak policies and procedures or failed to properly implement them. Some common deficiencies included unsecure laptops, unencrypted emails, inadequate training, insufficient control of third-party vendors, inadequate incident response plans, and shared login credentials. OCIE states that the Risk Alert is intended “to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information.”
Compli-pros should ensure the annual testing program includes the privacy notice process and the implementation of policies and procedures to avoid the highlighted issues. It may make sense to combine the testing with the required cybersecurity assessment.