Last week the Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert (the “Alert”) on Regulation S-P, the Privacy Rule. The Alert described the most common deficiencies found regarding the Privacy Rule over the past two years of examinations of both registered investment advisers and broker-dealers.
The top findings included:
- Failure to deliver an initial notice, annual notice and/or opt-out notice
- Lack of written policies and procedures that addressed all requirements of the Privacy Rule
- Inadequate policies, or policies that were not implemented and therefore could not protect customer information
- Specifically, written policies were often found to lack oversight of the following areas:
- Personal devices
- Electronic communications
- Training and monitoring
- Unsecure networks
- Outside vendors
- Personally Identifiable Information (“PII”) inventory
- Incident response plans
- Unsecure physical locations
- Login credentials
- Terminated employees
Most firms tend to address Regulation S-P with both written Regulation S-P policies and data security policies. With an increased focus today on cybersecurity, both advisers and broker-dealers tend to have Written Information Security Plans (“WISP”).
A well-formulated WISP is one that refers back to and includes information from a firm’s Regulation S-P policy. By properly identifying and addressing the use of customer PII, the WISP goes a long way to complying with both Regulation S-P and the various data security requirements of federal and state regulators.