New Risk Alert on Regulation S-P

Last week the Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert (the “Alert”) on Regulation S-P, the Privacy Rule. The Alert described the most common deficiencies found regarding the Privacy Rule over the past two years of examinations of both registered investment advisers and broker-dealers.

The top findings included:

  1. Failure to deliver an initial notice, annual notice and/or opt-out notice
  2. Lack of written policies and procedures that addressed all requirements of the Privacy Rule
  3. Inadequate policies, or policies that were not implemented and therefore could not protect customer information
  4. Specifically, written policies were often found to lack oversight of the following areas:
    • Personal devices
    • Electronic communications
    • Training and monitoring
    • Unsecure networks
    • Outside vendors
    • Personally Identifiable Information (“PII”) inventory
    • Incident response plans
    • Unsecure physical locations
    • Login credentials
    • Terminated employees

Most firms tend to address Regulation S-P with both written Regulation S-P policies and data security policies. With an increased focus today on cybersecurity, both advisers and broker-dealers tend to have Written Information Security Plans (“WISP”).

A well-formulated WISP is one that refers back to and includes information from a firm’s Regulation S-P policy. By properly identifying and addressing the use of customer PII, the WISP goes a long way to complying with both Regulation S-P and the various data security requirements of federal and state regulators.

View Risk Alert, “Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies,” April 16, 2019