The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has announced that cybersecurity is a priority for 2019. The division said in December that its examinations will place an emphasis on the configuration of storage systems and information security governance. Pursuant to this goal, the OCIE recently conducted examinations of the cyber-security measures adopted and implemented by SEC-registered investment advisors and broker-dealers and subsequently issued two risk alerts to address the areas where it observed deficiencies.
On April 16, 2019, the OCIE issued a risk alert intended to assist investment advisers and broker-dealers in providing compliant privacy and opt-out notices to their clients, and in adopting and implementing policies and procedures for safeguarding customer records, pursuant to Regulation S-P. The alert provided a list of the most common deficiencies and weaknesses identified by OCIE staff, including (1) the failure to provide privacy and opt-out notices to customers at the frequency required by Regulation S-P; (2) the failure to adopt policies and procedures to implement the Safeguards Rule set forth in Regulation S-P, which requires a registrant to adopt written policies and procedures to address administrative, technical, and physical safeguards for the protection of customer information; and (3) the use of inadequate written policies and procedures to ensure the confidentiality of customer records and to protect against threats or hazards to the security of customer records. The OCIE encouraged registrants to review their written policies and procedures to ensure their compliance with Regulation S-P.
Then, on May 23, 2019, the OCIE issued a second risk alert to identify security risks it observed with the storage of electronic customer records and information by broker-dealers and investment advisors in network storage solutions, including cloud-based storage. During the OCIE’s examinations it identified misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures. The OCIE reminded registrants to (1) adopt policies and procedures that are designed to support the initial installation, on-going maintenance, and regular review of network storage solutions; (2) establish guidelines for security controls and configuration standards; and (3) implement vendor management guidelines and procedures such as software patches and hardware updates.
About Faruqi & Faruqi, LLP
Faruqi & Faruqi, LLP focuses on complex civil litigation, including securities, antitrust, wage and hour and consumer class actions as well as shareholder derivative and merger and transactional litigation. The firm is headquartered in New York, and maintains offices in California, Georgia and Pennsylvania.
Since its founding in 1995, Faruqi & Faruqi, LLP has served as lead or co-lead counsel in numerous high-profile cases which ultimately provided significant recoveries to investors, direct purchasers, consumers and employees.
To schedule a free consultation with our attorneys and to learn more about your legal rights, call our offices today at (877) 247-4292 or (212) 983-9330.
Faruqi & Faruqi
New York office
Tel: (212) 983-9330
Fax: (212) 983-9331