Agio, a cyber-security and managed IT services provider for financial services, announced enhancements to its Securities and Exchange Commission cyber-security mock audit service. The offering provides guidance for registered investment advisers and broker-dealers on the administrative, technical, and physical policies required to safeguard customer records and information in compliance with SEC requirements.
Agio’s announcement follows a decision by the SEC’s Office of Compliance Inspections and Examinations (OCIE) on April 16 to issue a formal risk alert listing notable deficiencies among firms’ efforts to comply with Regulation S-P. Select policies and procedures that were reviewed failed to account for safeguarding customer information on personal devices, configuring these devices accordingly, prohibiting employees from sending customer personally identifiable information (PII) to unsecure locations, and designing incident response plans with role assignments and frequent assessments of system vulnerabilities.
Regulation S-P is the primary SEC rule regarding initial privacy notices, annual privacy notices, and opt-out notices that investment advisers and broker-dealers must offer their customers regarding the sharing of non-public personal information and PII with non-affiliated third parties.
Agio’s audit service presents preliminary findings and a final detailed report focusing on six key areas: governance and risk management; access rights and controls; data loss prevention; vendor management; training; and incident response.