Representing financial professionals, financial institutions and investors in investment loss, employment and disclosure matters, and in regulatory investigations nationwide.

SEC issues risk alert on protecting customer records at branch offices

On Behalf of | May 9, 2023 | Regulatory Investigations

The Securities and Exchange Commission has issued a risk alert to firms about safeguarding customer information at branch offices, according to AdvisorHub.

The SEC said its action was aimed at highlighting the importance of establishing written policies and procedures for protecting customer records and information at branch offices.

The commission noted that many broker-dealers and investment advisers consist of a main office and multiple smaller offices. According to the SEC, many firms have implemented safeguards for customer records at their main office but did not have written policies to address safeguards for the branch offices, despite the existence of similar risks. In some cases this has resulted in firms being victimized by cybersecurity and data breaches.

Under the Safeguards Rule of Regulation S-P, firms are required to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

The SEC said its staff observed common issues related to branch office governance. These included firms not providing guidance to assist branch offices in the selection of vendors who provide services such as cybersecurity, technology operations and business applications. “This resulted in weak or misconfigured security settings on systems and applications at some firms, which could result in unauthorized access to customer records or information,” the alert said.

Other issues involved firms not addressing email configurations at their branch offices, not having data classification policies to identify where customer records are stored electronically at branch offices, and not having adequate controls for password complexity and multi-factor authentication at those offices.

It was also observed that many branch offices were not up to date with the same system patching procedures that had been implemented at main offices to manage technology risk.

The attorneys at Lewitas Hyman include former senior attorneys at the SEC whose legal experience and industry knowledge make them uniquely qualified to provide counsel on securities regulatory, compliance and enforcement matters. Additionally, we regularly monitor SEC, FINRA and other SRO rule-making activities to help ensure that our clients are aware of any new policies while assisting them in implementing any recommended changes. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655-6002 or through our online contact form.