On April 26, 2023 the Securities and Exchange Commission (SEC) issued a risk alert highlighting the need for broker-dealers and investment advisers (collectively “firms”) to have written policies and procedures for safeguarding customer records and information at their branch offices.
Under the “Safeguards Rule” of Regulation S-P, firms must adopt written policies and procedures that reasonably address safeguards for the protection of customer records and information. In assessing compliance with this obligation, the staff observed the following common deficiencies in firms’ compliance programs for their branch offices:
Firms did not ensure that branch offices performed proper due diligence and oversight of their vendors providing services such as cybersecurity and technology operations.
Firms lacked policies and procedures addressing branch office email configurations, sometimes resulting in account takeover or business email compromise.
Data classification policies and procedures were not applied to branch offices, resulting in failures to identify and control customer records.
Password complexity and multi-factor authentication requirements for remote access to firm systems were not required for branch offices, sometimes resulting in breaches.
Some firms did not apply procedures requiring inventory management, patch management, and vulnerability management to branch offices, causing them to be prone to compromise.