September 28, 2021

Volume XI, Number 271


September 28, 2021

Subscribe to Latest Legal News and Analysis

September 27, 2021

Subscribe to Latest Legal News and Analysis

Not So Secure: OCIE Identifies Regulation S-P Compliance Issues

On April 16, the SEC's Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert outlining issues related to compliance with Regulation S-P that it identified in its inspections of SEC-registered investment advisers and brokers-dealers (Registrants) 1

Regulation S-P

Regulation S-P generally requires a Registrant to provide customers with a clear and conspicuous privacy notice that accurately reflects the Registrant's privacy practices; the privacy notice must be provided when a customer relationship is established and, at least, annually. Registrants must also provide an opt-out notice explaining customers' right to opt-out of certain disclosures of their personally identifiable information (PII) to third parties. 2  The "Safeguards Rule" of the Regulation also requires Registrants to implement policies and procedures that include administrative, technical and physical measures designed to (1) ensure the security and confidentiality of customer information, (2) protect against any threats to the security or integrity of the information, and (3) protect against any unauthorized access to or use of the information.3

OCIE's Findings

The most frequent compliance issues noted were:

  • Privacy and Opt-out Notices. Some Registrants either did not provide the notices required under the Regulation, or where notice was provided, the notices did not accurately reflect Registrants' policies and procedures.

  • Policies and Procedures. Similarly, many Registrants either did not implement the required policies and procedures, or the policies and procedures in place were sufficiently lacking in that they "contained numerous blank spaces."

  • Implementation and Safeguards. Where Registrants had implemented written policies and procedures, some of those policies and procedures were not designed to adequately secure customer information. Specifically, Registrants failed to:

    • Protect customer information stored on employees' personal devices;

    • Address and prevent personnel from sending unencrypted emails containing PII;

    • Appropriately train personnel on the use of encryption, password protection and use of approved methods of transmission, and monitor that the policies were being followed;

    • Prohibit personnel from sending customer PII to unsecure locations;

    • Follow their own policies and procedures when engaging vendors, including failing to require vendors to agree to keep PII confidential;

    • Identify all systems containing customer PII;

    • Fully-develop incident response plans, including defining roles and responsibilities, and assessing system vulnerability;

    • Keep PII in secure locations;

    • Limit access to customer login credentials; and

    • Terminate access rights of former employees.

Key Takeaways

The SEC continues to focus on cybersecurity, and the OCIE findings indicate that many Registrants are falling short of their obligations under Regulation S-P. OCIE made clear that compliance is more than just having a policy on paper that uses the Regulation's language: policies and procedures must accurately reflect practices and be implemented effectively throughout Registrants' operations. Doing so requires bringing together the appropriate resources—legal, compliance, operational and information technology—to review and update current policies and operations and to ensure that all personnel are trained on their responsibilities.

 1 Risk Alert - Regulation S-P.pdf

 2 See 17 CFR 248.4-5, 7.

 3 See 17 CFR 248.30(a)

©2021 Katten Muchin Rosenman LLPNational Law Review, Volume IX, Number 115

About this Author

Henry Bregstein, Katten Muchin Law Firm, Financial Institutions Legal Specialist

Henry Bregstein is the global co-chair of the firm’s Financial Services practice and a member of the firm’s Executive Committee and Board of Directors. In his role as partner in the Financial Services practice, he advises banks, domestic and offshore hedge funds, private equity funds, life insurance companies, family offices, sovereign wealth funds, investment advisers and broker-dealers on regulatory, securities, tax, finance, licensing, corporate and other legal matters.

Henry provides guidance on fund formation and regulatory compliance and advice related to...

Wendy E. Cohen, Financial Services Lawyer, Katten Muchin Law firm

Wendy E. Cohen represents investment managers and other sponsors of domestic and offshore securities and commodities hedge funds, funds of funds and other public and private pooled investment vehicles, as well as their service providers, including their managers, brokers, financial intermediaries and other financial institutions, and investment professionals. She provides advice on all corporate and related matters facing investment funds, including structure and organization, ongoing operations, restructuring and dissolution.

Having practiced for...

David Y. Dickstein, Financial Services Lawyer, Katten muchin law firm

David Dickstein represents broker-dealers, investment advisers, investment companies and hedge funds in connection with a variety of regulatory, compliance and operational matters. David regularly counsels investment advisers on registration and regulatory matters, such as the need for registration, conflict of interest disclosures, soft dollars and best execution, firm advertising and marketing, federal and state pay-to-play matters, trade allocations and personal trading. He also advises broker-dealers on registration and ongoing compliance matters, mutual fund supermarkets...

Michael T. Foley, Katten, Lawyer, Finance, FINRA, Chicago
Special Counsel

Michael Foley represents broker-dealers, investment advisers and other financial services industry participants with respect to a broad spectrum of legal and regulatory matters arising under the federal securities laws.

Michael has nearly 20 years of experience in private practice and in-house at both a large, full-service broker-dealer and at an online discount broker-dealer, advising broker-dealers and other financial institutions regarding compliance with the federal securities and commodities laws, and with the regulations of the US Securities and Exchange...

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...