The SEC has recently released a Risk Alert on the “importance of establishing written policies and procedures for safeguarding customer records and information at branch offices.” In this alert, the SEC emphasizes that, while many firms (both registered investment advisers and broker-dealers) have implemented proper safeguarding mechanisms at their home or main offices, some of these firms fail to implement the same mechanisms for their branch or satellite offices, even though the same or similar risks also apply to these offices.
Common Issues Related to Branch Office Governance
Through its examinations and assessments of compliance with Regulation S-P, the SEC has observed common branch office issues within five key categories.
The SEC commonly found that many firm branch offices did not perform the proper due diligence or management of the vendors they use (i.e., cybersecurity vendors) as required by their home offices, leading to misconfigured or mismanaged security systems on firm systems or applications.
Firms often use external vendors to provide email services but, in some cases, the firms do not manage email accounts and systems for branch offices. These firms often lacked proper procedures for these branch office configurations, resulting in compromised business email setups or even the inability to capture all email activity.
The SEC observed that, while many firms do maintain data classification written policies and procedures to identify and protect client records and information, these firms do not always apply these important procedures to their branch offices.
Most firms often maintain stringent policies regarding access management (i.e., password protection, multi-factor authentication) for remote access to systems. But the SEC observed that even though these actions are required for main offices, they are not always required for branch offices and, in some cases, resulted in these branch offices being victims of data breaches.
Many firms take proper steps to mitigate technology risk through procedures for inventory, patch, and vulnerability management for main offices, but these procedures do not always extend to branch or satellite offices. As a result, branch offices are often not up to date on patches and security measures or even maintain end-of-life operating systems, making these offices at risk of information compromises.
Maintaining Security at All Branches and Locations
As a result of these observations, many firms modified their written policies and took active steps to mitigate these risks. When reviewing operational and security measures, firms should be diligent in considering their entire organization, including all branch offices or remote employees. This diligence will help protect both firm and client data as well as keep the firm in compliance with Regulation S-P. If you or your firm are concerned about your data compliance procedures, don’t hesitate to reach out to the FinTech Law team for experienced compliance guidance.