SEC risk alert flags branch office cybersecurity controls
By Aaron Nicodemus2023-04-27T18:43:00
The protection of customer personal data by branch offices of broker-dealers and investment advisers should be just as robust—and as well-coordinated—as protocols used by the firm’s home office, according to the Securities and Exchange Commission (SEC).
A risk alert issued Wednesday by the SEC’s Division of Examinations found “some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices despite the existence of the same or similar risks.” These failures provide hackers with an avenue to access customer personal information, the agency said.
The Safeguards Rule under Regulation S-P requires firms to adopt written policies and procedures that “address administrative, technical, and physical safeguards for the protection of customer records and information.” These procedures must be reasonably designed to “ensure the security and confidentiality of customer records and information,” protect against threats to that data, and protect against unauthorized access that could harm or inconvenience customers.