The SEC’s new Risk Alert provides valuable insight as to what the OCIE wants to see broker dealers and investment advisers accomplish with their privacy notices and their cybersecurity policies and procedures. The SEC wants this written documentation to be comprehensive, to accurately reflect the registrant’s practices, and to be implemented effectively throughout their business. Broker dealers and investment advisers can, and should, use this Risk Alert to benchmark their own specific practices against the SEC’s expectations.
In the April 16, 2019 Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) outlines privacy and cybersecurity compliance issues identified in their examinations of broker dealers and investment advisers over the last two years. They found that broker dealers and investment advisers did not have privacy notices that were both accurate and met Regulation S-P’s requirements. The procedures that were in place did not adequately protect customers’ nonpublic financial information in several specific ways. And registrants’ written policies and procedures were not customized for their business, did not comprehensively address cybersecurity and did not accurately reflect their practices.
The key takeaway by the OCIE is that registrants should review their written policies and procedures, including their actual implementation of them. In light of this, we recommend that broker dealers and investment advisers benchmark their privacy and cybersecurity written policies, and their implementation of such policies, against the SEC’s expectations set forth in the Risk Alert as well as the SEC’s various guidance on cybersecurity published since its first cybersecurity risk alert in 2014. This can be approached efficiently using a questionnaire that is designed with the SEC’s stated expectations in mind.
The following are common deficiencies that the OCIE reported in its April 2019 Risk Alert. Broker dealers and investment advisers should review each of these, and evaluate whether their own practices in these areas are sound:
Like prior OCIE risk alerts, this Risk Alert provides a road map for registered investment advisers and broker dealers to follow when developing or evaluating their data privacy and cybersecurity procedures. They now have additional insight as to the types of issues that OCIE staff will look for when conducting an examination. The Risk Alert also provides registrants, their CCOs and counsel with the raw materials to develop a thorough review program for a firm’s data privacy and cybersecurity policies and procedures. CCOs and compliance staff should ensure that their annual compliance reviews are updated to reflect these issues and should consult with counsel to help evaluate their written policies and procedures, and their implementation of them, in light of OCIE’s findings.
Members of MoFo’s Privacy and Data Security practice group have regularly assisted broker dealers and investment advisers to benchmark, form, and mature their cybersecurity programs, including their written privacy notices and their cybersecurity policies and procedures.