Main Contributor: Gretchen Sturdivan, CSCP Creative Director & Compliance Manager

Background

The Division of Exams (“EXAMS” or “the Staff”) provided a risk alert on April 26, 2023, to “highlight the importance of establishing written policies and procedures for safeguarding client records and information at branch offices” as well as the main office. Branch offices include locations outside of the main office as well as independent contractors who offer investment products and services. This also speaks to employees who work remotely and do not consistently work from the main office. The policies need to address how client information is safeguarded in all office locations (onsite, remote, and hybrid) to ensure confidentiality, protection against threats to the security or integrity of client records/information, and protection against unauthorized access to or use of client records/information. Anything outside of this could result in substantial harm or inconvenience to your firm’s clients.

The Staff’s biggest concern in this Risk Alert was that advisers implemented their policies and procedures for the main office, but often did not do so for branch offices. However, this is not the first time the Staff has highlighted this issue for branch offices! On November 9, 2020, OCIE conducted an exam initiative focused on advisers operating from numerous branch offices. At that time, they were focusing on the compliance and supervisory practices relating to the advisory personnel within the branch offices, and back then, they also noted deficiencies around policies not being consistently applied across all branch offices. 

Within this latest Risk Alert, the Staff broke out their findings into five categories where the most common issues resided. We break them down below along with our suggestions.  

Vendor Management

Cybersecurity and technology services are often outsourced, and, in these instances, the Staff found that firms did not “reasonably ensure” that the branch offices were conducting due diligence and oversight of the vendors as stated in their own policies. The firms did not provide guidance or recommendations to assist branch offices in selecting vendors, which resulted in weak or misconfigured security settings. 

SCS Suggests

Weakened cybersecurity controls and systems are the last thing we want to have as they can allow for unauthorized access to client information. If your firm has branch offices, SCS suggests ensuring that your policies apply to each office location and that you provide a consistent framework for selecting vendors within the policies.

Email Configuration

The Staff found that many firms manage email vendor services for the branch offices from the main office. However, in some cases, the branch offices did not have their email accounts managed by the main office and the firm lacked policies around email configuration. It led to many branch offices selecting their own vendors for email services and experiencing account takeover or business email compromise. In other cases, the default email configuration used “failed to capture all account activity, resulting in the inability to perform adequate incident response.”

SCS Suggests

If adequate policies and procedures are in place for email configuration and account activity review, it can all be managed from the main office. This is made possible through programs such as Smarsh or Global Relay. However, it would be critical to ensure that the most robust security settings are in place for all accounts, firmwide. This is also applicable to cloud-based service providers in general. Leaving the default security settings in place for these programs is dangerous – they are not secure and ready to go right out of the box. Have a system for approving the use of vendors and a system for tracking systems and security settings. 

Data Classification

Data Classification policies are maintained in order to identify where client records and information are stored electronically. The Staff found that firms did not always apply these policies to their branch offices, which resulted in a “failure to identify and control” client records and information.

SCS Suggests

Data Classification policies are critical in safeguarding your client’s information, which should be taken just as seriously with branch offices. Branch Offices that store client information should adhere to the same policies as the main office.    

Access Management

It seems there is a pattern emerging. The Staff observed that the main offices adhered to policies around multi-factor authentication and password complexity requirements, but the branch offices didn’t apply the same policies. They became victims of breaches that these policies could have prevented.

SCS Suggests

It goes without saying, but information security controls are critical and should apply to all office locations. Supervision may be more difficult for branch offices, so invest the resources to ensure that the same policies are followed firm-wide to prevent breaches and reduce your firm’s risk.

Technology Risk

Here we are again! The Staff observed the main offices implementing written policies and procedures for inventory management, patch management, and vulnerability management, yet the main office did not apply the same policies to their branch offices. Branch offices were therefore not up to date with their system patching, the main office was not aware of the systems running on the branch offices’ networks, and branch offices were running end-of-life operating systems (which means, they were no longer supported by the manufacturer, allowing new bugs and weaknesses to go uncorrected).

SCS Suggests

Again, we see the importance of creating a consistent system firm-wide for system patching and vulnerability management to ensure that one branch office doesn’t compromise the whole system. Implement policies and procedures that are required across all offices and ensure you have an individual who is able to manage this process.

Conclusion

Branch offices (remote, hybrid, and in-office locations) should have consistent practices with main office locations. When drafting or updating your policies and procedures, take all office locations into account to ensure they are practical and able to be applied across all office locations. Consistency is key in avoiding cybersecurity breaches or compromising client information.