Branch Offices Lack Policies for Protecting Client Records: SEC

News April 26, 2023 at 06:06 PM
Share & Print

The Securities and Exchange Commission warned broker-dealers and advisors Wednesday about the importance of having written policies and procedures for safeguarding client records and information at branch offices, since some firms have experienced cybersecurity and data breaches.

In a risk alert, the agency's Division of Examinations says that individuals in branch offices often have access to information technology systems that contain client records and information.

"While many of these firms have implemented safeguarding policies and procedures at their main office, some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices despite the existence of the same or similar risks."

In some cases, the agency states, "this failure has resulted in firms falling victim to cybersecurity and data breaches."

The Safeguards Rule of Regulation S-P requires firms to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of client records and information.

During exams, the SEC found that while "many firms implemented policies and procedures for safeguarding customer records and information for their main office, they often did not do so for branch offices."

In particular, SEC exam staff explains that firms were lax in the following areas:

1. Vendor management

In many instances, firms did not appear to reasonably ensure that their branch offices performed proper due diligence and oversight of their vendors as required by the firms' own policies and procedures.

2. Email configuration

Firms often use vendors to provide email services. SEC staff observed that in many instances, these services are managed from the main office where staff or vendors provide accounts for branches. However, in some instances, firms did not manage email accounts for branch offices.

3. Data classification

While they often maintained data classification written policies and procedures to identify where client records and information were stored electronically, firms did not always apply these policies and procedures to branch offices.

4. Technology risk

Though they maintained reasonable technology policies and procedures for their main office, firms did not apply any such policies and procedures in connection with their branch offices in some instances. As a result, branch office systems were more prone to compromises.

(Image: Adobe Stock) 

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center