Branch Offices Lack Policies for Protecting Client Records: SEC

The Securities and Exchange Commission warned broker-dealers and advisors Wednesday about the importance of having written policies and procedures for safeguarding client records and information at branch offices — since some firms have experienced cybersecurity and data breaches.

In its risk alert, the agency’s Division of Examinations says that individuals in branch offices often have access to information technology systems that contain client records and information.

“While many of these firms have implemented safeguarding policies and procedures at their main office, some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices despite the existence of the same or similar risks.”

In some cases, the agency states, “this failure has resulted in firms falling victim to cybersecurity and data breaches.”

The Safeguards Rule of Regulation S-P requires firms to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of client records and information.

During exams, the SEC found that while “many firms implemented policies and procedures for safeguarding customer records and information for their main office, they often did not do so for branch offices.”

In particular, SEC exam staff explains that firms were lax in the following five areas:

1. Vendor management