The protection of customer personal data by branch offices of broker-dealers and investment advisers should be just as robust—and as well-coordinated—as protocols used by the firm’s home office, according to the Securities and Exchange Commission (SEC).
A risk alert issued Wednesday by the SEC’s Division of Examinations found “some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices despite the existence of the same or similar risks.” These failures provide hackers with an avenue to access customer personal information, the agency said.
The Safeguards Rule under Regulation S-P requires firms to adopt written policies and procedures that “address administrative, technical, and physical safeguards for the protection of customer records and information.” These procedures must be reasonably designed to “ensure the security and confidentiality of customer records and information,” protect against threats to that data, and protect against unauthorized access that could harm or inconvenience customers.
SEC examiners found some firms did not provide any due diligence or oversight of their branches’ hiring of vendors in cybersecurity, technology operations, and business applications. The disconnect “resulted in weak or misconfigured security settings on systems and applications at some firms, which could result in unauthorized access to customer records or information,” the agency said.
Some firms did not handle email accounts at their branch offices and “lacked policies and procedures addressing branch office email configurations and allowed branch office staff to obtain their own email services from vendors without specifying the technical requirements adequate to secure the branch offices’ email solution,” the risk alert said. Such misalignment led to account takeovers, business email compromise, and an inability to perform adequate incident response.
Data classification policies and procedures at some firms did not match those at branch offices, resulting in “failure to identify and control customer records and information in some instances,” the alert said.
While the main office of most firms requires password management and two-factor authentication to access data remotely, those same safeguards were not in place at some branch offices. Some data breaches that occurred by hackers accessing company data through branch offices might have been prevented if the main office’s safeguards had been in place, the alert said.
Technology procedures for addressing inventory management, patch management, and vulnerability management at main offices was found to be weaker or nonexistent at some branch offices. Some firms were not aware of the systems running in their branch offices or that those systems were not being regularly updated.
The alert said firms should take steps to ensure their policies and procedures for their branch offices in terms of handling personal data for customers adheres to Regulation S-P as stringently as its main office and that there is a thoughtful measure of coordination on this issue between the branches and the main office.