Close Close
Sign In
Newsletters
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
Podcast Center Video Center Webcasts Resource Center Events
About ThinkAdvisor Contact Us Advertise With Us Asset & Logo Licensing Sitemap Terms of Service Privacy Policy Copyright © 2024 ALM Global, LLC. All Rights Reserved.
ThinkAdvisor
Cybersecurity, laptop screen with a padlock

Regulation and Compliance > Federal Regulation

Branch Offices Lack Policies for Protecting Client Records: SEC

By Melanie Waddell

X
Your article was successfully shared with the contacts you provided.

The Securities and Exchange Commission warned broker-dealers and advisors Wednesday about the importance of having written policies and procedures for safeguarding client records and information at branch offices, since some firms have experienced cybersecurity and data breaches.

In a risk alert, the agency’s Division of Examinations says that individuals in branch offices often have access to information technology systems that contain client records and information.

“While many of these firms have implemented safeguarding policies and procedures at their main office, some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices despite the existence of the same or similar risks.”

In some cases, the agency states, “this failure has resulted in firms falling victim to cybersecurity and data breaches.”

The Safeguards Rule of Regulation S-P requires firms to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of client records and information.

During exams, the SEC found that while “many firms implemented policies and procedures for safeguarding customer records and information for their main office, they often did not do so for branch offices.”

In particular, SEC exam staff explains that firms were lax in the following areas:

1. Vendor management

In many instances, firms did not appear to reasonably ensure that their branch offices performed proper due diligence and oversight of their vendors as required by the firms’ own policies and procedures.

2. Email configuration

Firms often use vendors to provide email services. SEC staff observed that in many instances, these services are managed from the main office where staff or vendors provide accounts for branches. However, in some instances, firms did not manage email accounts for branch offices.

3. Data classification

While they often maintained data classification written policies and procedures to identify where client records and information were stored electronically, firms did not always apply these policies and procedures to branch offices.

4. Technology risk

Though they maintained reasonable technology policies and procedures for their main office, firms did not apply any such policies and procedures in connection with their branch offices in some instances. As a result, branch office systems were more prone to compromises.

(Image: Adobe Stock) 

Melanie Waddell

@Think_MelanieW

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.