Risk Alert: Safeguarding Customer Records and Information at Branch Offices

   

Risk Alert: Safeguarding Customer Records and Information at Branch Offices 

On April 26, 2023 the Division of Exams (EXAMS) released a Risk Alert: Safeguarding Customer Records and Information at Branch Offices. This Risk Alert highlights the importance for Advisors to maintain written policies and procedures for safeguarding customer records and information at branch office locations in compliance with the Safeguards Rule of Regulation S-P (Safeguard Rule). As a reminder, the Safeguards Rule of Regulation S-P states: “Firms must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” EXAMS’ assessment of Advisor’s compliance with the Safeguard Rule, led the Staff to notating that generally most Advisor’s implemented policies and procedures at their primary office locations, but they were not enforced at branch locations. Common deficiencies discovered by the Staff include:

Vendor Management: No reasonable assurance that branch offices performed third party vendor due diligence and/or oversight resulting in faulted security settings and systems which can result in unauthorized access to client personally identifiable information and related records. In certain instances, Firm’s did not guide or assist branch offices in its selection of vendors, prompting further disparity.

Data Classification: Although procedures often existed for data classification within books and records policies, they were not always applied to branch offices resulting in a failure to identify and control customer records and information.

Access Management: Policies and procedures regarding password complexity and multi-factor authentication for remote access to Advisor systems existed at the primary office, but not at branch offices. Some branch offices under review were victims of cyber breaches, which may have been deterred had password complexity and multi factor authentication been a factor prior to intrusion.

Technology Risk: Although primary office locations had implemented policies and procedures for inventory, patching, and vulnerability management, it did not always carry through to branch offices resulting in out-of-date networks, end of life operating systems, and vulnerabilities through outdated system patching.

In review of these observations, key takeaways from the Risk Alert can be summarized as the following: Enhance Branch Office Inspections – As part of an Advisor’s oversight, branch office location reviews should be conducted periodically to ensure compliance with securities laws and adherence to firm policies and procedures. Each of the prescribed items above, should be review factors when completing the assessment of the branch location. Examples may be:

• Collecting a list of all third-party vendors utilized at the branch and the vendors applicable due diligence.
• Completing a forensic test of the branch office’s books and records to ensure compliance with the Advisor’s policies.
• Collecting a list of all branch hardware, including personal devices utilized for business purposes, used by supervised persons to complete a technology audit for patches, updates, disclosure of hardware used, etc.
• Completing a technology entitlement review to ensure that supervised persons only have access to systems they need to complete their job function and limit access to customer records and information.

If the branch office is not in line with primary branch policies and procedures, remediation action should be taken and potentially logged as a compliance violation accordingly.

Enhancing Vendor Due Diligence – Vendor due diligence and oversight is a hot button item for regulators, and as such a Firm should highly scrutinize their process. Advisors must implement policies and procedures for performing initial and ongoing vendor due diligence and oversight for third party service providers and vendors. Best practices for completing vendor due diligence could include:

• Creating a list of preferred vendors of the firm that supervised persons are required to follow whether in a primary office or branch location.
• Creating a process for requesting new vendors be utilized at both the primary and branch office location.

Creating a process for ongoing due diligence of vendors - An Advisor’s initial and ongoing due diligence process of vendors should be streamlined and concise across all vendors. Utilization of tools such as a questionnaire can assist in obtaining data and documentation. An emphasis should be placed on cybersecurity and client data protection when dealing with third party vendors such as:

• Obtaining the vendor’s Information Security Program with an understanding of any potential incidents and applicable employee training.
• An understanding of vendor’s risk assessments and testing such as external penetration testing, or audit reports (SAS 70, SSAE 16, etc.)
• An understanding of change management and service reliability such as Recovery Time Objectives (RTO) or Recovery Point Objectives (RPO), geographic areas of operation, etc.
• Business Continuity/Disaster Recovery procedures and backup plans.
• Network and data security such as data encryption, client data disposal procedures, client privacy especially in cases of subpoenas, network patching, etc.

When implementing policies and procedures, not only must they comply with Regulation S-P, but Advisors need to ensure compliance of the entire organization. Failure to follow implemented policies and safeguards can result in cyber intrusions, and deficiencies in compliance with regulations, both of which can be detrimental to an Advisor’s reputation and potentially costly for both the Advisor and client.

Should you have questions, please don’t hesitate to reach out today. 

Posted in: