22 July 2019
Once again, the SEC has provided insight into exam deficiencies. This time, it’s regarding Reg S-P.
Reg S-P requires, among other things, that registered investment advisers:
- provide customers with a copy of the Firm’s Privacy Notice initially and annually, if there are changes;
- provide customers with an option to opt out of personal information being shared to non-affiliated third parties; and
- maintain written policies and procedures addressing the administrative, technical, and physical safeguards in place to protect customer records and information.
Frequent Reg S-P Compliance Deficiencies
Privacy and Opt-Out Notices
The SEC observed that notices were not provided as required or did not accurately reflect a firm’s policies and procedures. The SEC also found that advisers failed to provide notice to clients of their right to opt-out of sharing their nonpublic personal information with nonaffiliated third parties. If you do not have a legitimate business necessity to share your clients’ information with an unaffiliated third party, you must provide language within your privacy notice that allows clients to opt-out of sharing their nonpublic personal information with unaffiliated third parties.
Create a welcome packet for new clients that includes your ADV Part 2A, 2B, and Privacy Notice, or include the Privacy Notice at the end of your ADV to ensure all new clients receive these critical documents. Just to clarify, your Privacy Notice must only be provided to “consumers” which is defined in Reg S-P as, “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” In other words, your non-institutional clients.
A few things to remember about opt-out notices:
- The opt-out notice does not need to be provided if the information shared with third parties is necessary in order to continue your investment advisory services (performance calculations, GIPS verification, auditors, or to conduct transactions, for example).
- If you do not provide an opt-out notice, remember your Privacy Notice must be provided initially and your agreements with third parties must prohibit that third party from disclosing or using personal information other than to carry out the purposes for which the information was disclosed.
- If you disclose nonpublic personal information to an unaffiliated third party, regardless of your reliance of an opt-out, you must provide a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted.
Email us to request your free checklist for what must be included in your privacy notice.
Policies and Procedures
The SEC found that firms either did not have policies or their policies were still in template form with missing information (such as firm name). Firms lacked details regarding administrative, technical, and physical safeguards.
Review and edit your privacy policies to ensure your firm’s safeguards and processes are properly captured. Chances are you already have safeguards in place; you may just need to incorporate them into your privacy policies. If you would like an example privacy policies to refer to, ask us for a template!
Here are some categories of protection to consider:
Technical safeguards include technological defenses such as encryption, VPN, multi-factor authentication, firewalls, and redundant servers. We recommend you consult with your IT to understand how your systems work and document the technical safeguards you have in place in your policies and procedures.
Physical safeguards take into consideration the controls around access to the office and file cabinets with sentence information.
Administrative safeguards can include need-to-know access with regards to computer files and hard-copy files, a “clean desk” policy when employees step away from their desks or leave for the day, and policies around the ownership of firm information upon termination.
Policies not implemented or not reasonably designed to safeguard client records and information
OCIE staff found advisers had written policies and procedures that had not been properly implemented or were not reasonably designed to:
- ensure the security and confidentiality of customer records and information,
- protect against anticipated threats or hazards to the security or integrity of customer records and information, and
- protect against unauthorized access to or use of customer records or information that could result in hardship or inconvenience to customers.
The SEC provided specific examples as summarized below.
Staff found advisers’ personnel stored client information on their laptops, but the firms did not have safe guards to protect client information.
Talk to your IT provider. They may have solutions better equipped for your firm. But here are some of our suggestions:
Encrypt your laptops. That way, if employee laptops are lost or stolen the data stored on their hard drive is not compromised.
You could prohibit personal device use for business purposes. This strategy is not always practical, but if it is for your firm, it would help minimize exposure to cyber threats. Alternatively, if employees use their personal devices for business, consider these policies to protect data:
- Have a policy that prohibits employees from storing client information on laptops and other personal devices. Programs and cloud-storage companies have security settings which, among other things, send notifications when large amounts of data are moved, downloaded, or e-mailed. These can be great tools to help protect personal information from comprise and manipulation.
- Set up passwords or face recognition to access cellphones and other personal devices.
- Obtain the ability to wipe devices clean if lost or stolen.
- Train employees regularly on your policies and explain the “why” to help them understand the risks associated with certain actions.
- Prohibit employees from connecting to unsecured Wi-Fi with laptops and cell phones (this is a great personal tip too…). Public Wi-Fi at Starbucks or the airport can provide an entrance point for hackers, viruses, and malware that are easy to avoid.
- Also have IT or a third party conduct a regular scan of laptops to confirm this policy is being followed.
The SEC noted that firms did not have proper policies and procedures or training to ensure employees sent personal information via encrypted email.
Set up a process by which emails with sensitive client information are sent encrypted and train your employees on the policy and procedures.
Periodically review emails to confirm adherence to the firm’s policies.
Training and monitoring
Policies that required encryption or other safeguards were not followed because employees did not receive proper training or monitoring to ensure policies were followed.
Policies and procedures are an essential part of your organization. However, even if you have the most amazing policies in the industry, they are no good if the people at your firm do not know and follow them. How do you get your employees to follow the policies?
- Make sure they are easy to understand.
- Store them in an accessible location for easy reference.
- Provide training to all new staff.
- Provide ongoing training on key elements. Redundancy is key.
- If a deficiency occurs, send reminder to all staff of the firm’s policies.
- Encourage your team to give you feedback to ensure effective policies.
In our opinion, this is the most important element to this article. Your best defense against any cybersecurity threats or client security breach is your people. Invest in your people by providing them clear, concise policies and regular training.
The SEC noted that firms lacked policies and procedures designed to prevent information being sent to unsecure locations.
This, again, comes down to training. As mentioned above, we suggest prohibiting employees from accessing unsecure Wi-Fi and other public hotspots for internet access to safeguard client (and employee) information. Prohibit the download of information to unencrypted devices (phones, thumb drives, laptops). Software is available that firms can use to notify when large amounts of data have “left the building.” Cloud storage systems also have settings (that must be enabled) that will send similar notifications.
The SEC found advisers did not follow their own policies with outside vendors. For example, advisers failed to contractually obligate third-party vendors from keeping client information confidential.
Prior to signing or renewing contracts, review them for terms that are in alignment with your own policies and client agreements. Do not be afraid to reach out and ask your vendors what they do to protect your clients’ information or to request a modification to the agreement to ensure you are meeting your own compliance obligations.
Have a due diligence process in place to review your outside vendors on a regular basis.
Personal Identifying Information (“PII”) Inventory
PII was not properly inventoried to identify all systems where PII was stored.
Asses your PII: define it, assess where your PII is stored, and who has access to it. If an adviser does not know what PII they maintain and where it is maintained, it becomes difficult to safeguard such information.
Think about both electronic and hard-copy access, and make sure you have avenues to protect PII in both mediums. Request your copy of our Books and Records Matrix. It is a great tool for identifying not only where your records are stored, but also to confirm you are meeting the record retention requirements and can easily respond to an SEC request letter in the event of examination.
Incident Response Plans
The SEC noted Incident Response Plans did not address critical areas such as assignments for implementation of the plan, actions required to address cybersecurity, or assessment of vulnerabilities to properly prepare a plan.
Gather critical employees like IT, operations, and compliance professionals (“incident response team”) and assign roles based on experience and job duties. If you have cybersecurity insurance (which we highly recommend), include your communication with your insurance provider.
Consider obtaining a vulnerability assessment by a third party.
If you have an incident, be sure to document the facts, including a post-incident review on how your firm will prevent it from occurring again.
Review your incident response plan by doing a “table-top discussion” with your incident response team and discuss roles, your process, and whether your incident response plan still seems reasonable.
Document training and any testing of your incident response plan.
Unsecure Physical Locations
PII was stored in unsecured locations like unlocked cabinets or offices.
Perform a random sweep to identify if PII is stored improperly, train staff, and check again in a few days to make sure they have resolved any violations. And again, implement a “clean desk” policy and empower employees with accountability.
Client log-in information was disseminated to more employees than permitted under a firm’s policy.
Passwords should not be shared. Remind employees of your polices and/or implement password software across the firm such as 1Password or LastPass, where passwords cannot be shared.
Even though not addressed as a deficiency in this risk alert, we also suggest maintaining a log of access rights (what programs and folders employees can access) and regularly reviewing for accuracy. If you have software that monitors access or alerts you for unusual activity, then you are able to identify violations or even breaches.
Firms failed to deactivate former employees’ access to restricted customer information.
We often find, at smaller firms, that Compliance is HR, so enlist help or your HR team to create a succinct process by which employee access is terminated when they leave the firm. Have a checklist for your employee termination process, just like you do for your new employee process. As discussed, we find it helpful to inventory systems, programs, and file access and periodically check the assessment to make sure no employee roles have changed.
First, review your privacy notice to make sure its reflective of the requirements. Then review your policies to make sure they are accurate and sufficient for what your firm does and needs to do to protect clients. Enlist other employees to help you. Then train your staff. Training does not have to be long and complicated, it’s the continual reminders that helps keep employees sharp. Add a task to your annual review to check in with departments regarding systems and program updates, and lean on your IT provider for assistance. And as always, we are here to help!