Copyright 2024 ORICAL LLC - Partner - Florio Leahy LLP (Affiliated Law Firm, Attorney Advertising)
Regulation S-P Compliance Date
Regulation S-P Amendments were published in the Federal Register on June 3, 2024 as Investment Advisers Act Release No. 6604 (the "Release”); the compliance date for larger entities (advisers with $1.5 billion or more under management) is 18 months from publication (December 2, 2025); smaller entities have 24 months from publication (June 2, 2026). Independent of the amendment requirements, registered investment advisers have existing obligations under Regulation S-P.There are also extensive and existing state level requirements in all 50 states which are discussed on page 160 of the Release. Certain investment advisers also have existing obligations under Regulation S-ID.The SEC has indicated that compliance with Regulation S-ID and S-P will be an examination priority in 2025.
This resource guide includes selected SEC Examination Priorities, Risk Alerts, and Enforcement Actions.It also includes certain FINRA and NFA resources as well as references to the NIST Frameworks and selected state law requirements:
SEC Examination Priorities: Information Security, Regulation S-ID and Regulation S-P
See Exam Priorities p. 12:Cybersecurity: The Division [of Examinations] will continue to review registrant practices to prevent interruptions to mission critical services and to protect investor information, records, and assets. Operational disruption risks remain elevated due to the proliferation of cybersecurity attacks, firms’ dispersed operations, weather-related events, and geopolitical concerns. As part of its examinations in this area, the Division will examine registrants’ procedures and practices to assess whether they are reasonably managing information security and operational risks. A perennial examination priority, the Division’s focus on cybersecurity practices by registrants remains vital to ensure the safeguarding of customer records and information, as applicable. Particular attention will be on firms’ policies and procedures, governance practices, data loss prevention, access controls, account management, and responses to cyber-related incidents, including those related to ransomware attacks. The Division will also review alternative trading systems’ safeguards to protect confidential trading information. With respect to third-party products and services in particular, the Division will continue to consider cybersecurity risks and resiliency goals associated with third-party products, sub-contractors, services, and any information technology (IT) resources used by the business without the IT department’s approval, knowledge or oversight, or non-supported infrastructure. The focus will include assessments of how registrants identify and address these risks to essential business operations.
Regulation S-ID and S-P
The Division will assess registrant compliance with Regulations S-ID and S-P, as applicable. Examinations will focus on firms’ policies and procedures, internal controls, oversight of third-party vendors, and governance practices. In addition, the Division will focus on firms’ policies and procedures as they pertain to safeguarding customer records and information at firms providing electronic investment services, including:
In preparation for the compliance date of the Commission’s amendments to Regulation S-P, the Division will engage with firms during examinations about their progress in preparing to establish incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
SEC Website
See the SEC’s Cybersecurity Spotlight web page. This page contains, among other things, information on (i) Cybersecurity and Infrastructure Security Agency (“CISA”) news, threats and advisories; (ii) Ransomware; a (iii) SEC Cyber-Related Examination Priorities; and (iv) Cyber-Related Enforcement Actions.
Selected SEC Enforcement Actions
SEC Charges Investment Adviser R.T. Jones Capital With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach (Sept. 22, 2015); Press Release; SEC Order. R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933 (“Safeguards Rule”) during a nearly four-year period when it failed to adopt any written policies and procedures (as required by Regulation SP) to ensure the security and confidentiality of personally identifiable information (“PII”) and protect it from anticipated threats or unauthorized access.
Orical anticipates that advisers will face similar scrutiny with respect to the 2024 amendments requiring additional new written policies and procedures to safeguard and dispose of investor information.
R.T. Jones had investor information housed on a third-party hosted website which was not secure. The website was hacked and the personally identifiable information (“PII”) of over 100,000 individuals was vulnerable to theft and exploitation.The adviser handled the breach well (it notified all individuals whose PII may have been compromised, for example) but did not have the written policies and procedures required by Regulation S-P.
The remediation done by R.T. Jones following the hack of its website should be done by every registered investment adviser now, prior to a breach:
R.T. Jones appointed an information security manager to oversee data security and protection of PII, and adopted and implemented a written information security policy that includes a requirement to conduct periodic risk assessments as well as procedures for responding to a cybersecurity incident. The firm stopped storing PII on its webserver and any PII stored on its internal network was encrypted. The firm has also installed a new firewall and logging system to prevent and detect malicious incursions. Finally, R.T. Jones retained a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.
Similarly, advisers should assess where investor information is stored and determine that that location is the most secure available.Such information should be encrypted in storage as well as in transit.Only firm personnel with a business need should have access to such critical files and data. And those employees with administrative rights to change who has access to PII should be few in number and carefully monitored.
Morgan Stanley Smith Barney (“MSSB”) to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers (Sept. 20, 2022); Press Release; SEC Order. This action reads like a modern day adaptation of Shakespeare’s Comedy of Errors.It highlights the importance of understanding and complying with Regulation S-P’s Disposal Rule (Rule 30(b)).MSSB (dually registered as an investment adviser and broker-dealer) hired a moving and storage company (“Moving Company”) (with literally no experience or expertise in data destruction services) to decommission thousands of hard drives, servers and back-up tapes containing customer information at various data centers including in Poughkeepsie, NY and Columbus, OH.Moving Company submitted a joint bid with IT Company A to dispose of the devices, hard drives, tapes and data.
Only Moving Company was formally approved as an MSSB vendor and not IT Company A.The contract contemplated that MSSB would receive an asset report and a disposition report (essentially inventories of the devices collected and whether they were returned to MSSB, resold or destroyed), as well as Certificates of Destruction (“CODs”) documenting the destruction of the devices.Soon after signing the contract, Moving Company stopped working with IT Company A and hired IT Company B--without notifying MSSB.MSSB had the ability to monitor the data destruction process and the cessation of activity by IT Company A but did not do so.IT Company B mistakenly thought that IT Company A had “wiped” the devices.Consequently, IT Company B sold the drives and devices at auction.One purchaser at auction noticed unencrypted personal information of MSSB customers still on the hard drives purchased at auction and wrote to MSSB that, as a major financial institution, it should be more careful with customer information!
MSSB had had the opportunity to encrypt the data on the drives but neglected to do so;MSSB notified approximately 15 million customers that their personal information may have been compromised.MSSB violated the Safeguards Rule, Rule 30(a) of Regulation S-P, and the Disposal Rule, Rule 30(b) of Regulation S-P, and paid a civil money penalty to the SEC in the amount of $35 million.
This case illustrates the importance of having effective policies and procedures around the disposal process of Customer and Consumer Information as required by the Regulation S-P amendments.Service providers should be carefully vetted, selected and monitored.Subcontractors are also crucial.A strict chain of custody of any files or hard drives containing Customer Information should be maintained if they are taken off premises for destruction.Such files and drives should be destroyed within a reasonable time frame.And the firm should receive a certificate of destruction memorializing the destruction of the carefully inventoried and identified files or equipment.
SEC Charges Firm With Deficient Cybersecurity Procedures (Sept. 26, 2018); Press Release; SEC OrderVoya Financial Advisors, Inc. The SEC found that Voya, a dually registered investment adviser and broker-dealer, violated the Safeguards Rule as well as the Identity Theft Red Flags Rule, Rule 201 of Regulation S-ID (17 CFR Section 248.201) and was required to pay a civil monetary penalty of $1 million.Voya failed to adopt written policies and procedures required by the Safeguards Rule and failed to develop and implement, train on, or update a written Identity Theft Prevention Program required by Regulation S-ID.Voya gave its contractor representatives access to Voya’s proprietary web portal.Intruders called Voya’s technical support line and impersonated Voya representatives and requested that their passwords be reset—which they were.The intruders were also given user names over the phone.One targeted contractor representative received an email that his password was reset.He called Voya’s technical support team to say that he had not requested a password reset.The intruders used phone numbers that had been flagged for previous fraudulent activity.The intruders gained access to approximately 5,600 investor records including personally identifiable information.
Another aspect of this case is relevant for advisers seeking guidance today and that is the use of personal computers to access the firm’s network.In Voya’s case, contractor representatives’ personal computers were permitted for access to firm email and systems but they were supposed to be evaluated and scanned three times per year to ensure that antivirus software, encryption and certain software updates were installed and optimized.This requirement was not followed and there was poor follow up.
It raises the issue of whether personal computers should be permitted at all.It is much easier for an adviser to ensure that a firm issued computer has the appropriate software configuration and is up to date and can be wiped if lost or stollen.
SEC Announces Three Actions Charging Deficient Cybersecurity Procedures (Aug. 30, 2021); Press Release; SEC OrderCetera Entities; SEC OrderCambridge Entities; SEC OrderKMS Financial Services, Inc. Each of these three SEC enforcement actions involve unauthorized third parties taking over email accounts by means of phishing, credential stuffing or other modes of attack.Each of the entities violated the Safeguards Rule but one firm also misled investors in their notification of a breach by suggesting that the notice was closer in time to the breach.The firms either did not have policies and procedures or they were inadequate.The SEC cites the availability of security measures such as Multi Factor Authentication that were available but were not implemented in a timely fashion.
SEC Charges Issuer With Cybersecurity Disclosure Controls Failures (June 15, 2021); Press Release; SEC OrderFirst American Financial Corporation. A cybersecurity journalist notified First American, whose products involve residential real estate transactions, including title insurance and escrow services, of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the SEC on May 28, 2019. However, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk. In particular, First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the SEC.
SEC Charges Pearson plc for Misleading Investors About Cyber Breach (Aug. 16, 2021); Press Release;
SEC Order.The SEC found that Pearson, a multinational educational publishing and services company, made misleading statements and omissions about a data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. In a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had "strict protections" in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and passwords were stolen.
SEC Charges SolarWinds and Chief Information Officer with Fraud, Internal Control Failures (Oct. 23, 2023); See the SEC Press Release and SEC Complaint; The SEC charged SolarWinds (an IT firm that sells proprietary IT and cyber software) and its Chief Information Security Officer (“CISO”), Timothy Brown, with fraud and internal control failures and for making false and misleading statements in it Form S-1 Registration Statement, other SEC filings and on SolarWinds’ public website.The Company and Brown neither disclosed nor remediated known cybersecurity vulnerabilities with respect to compliance with the National Institute of Standards and Technology (“NIST”) framework compliance, Secure Development Lifecycle (“SDL”), access controls (including the known VPN vulnerability) or passwords.Bad actors entered the Company’s network (via VPN) with their own personal cell phones and laptops and inserted malware over a two-year period that was then sent out to over 18,000 SolarWinds customers including U.S. federal government agencies and IT firms.
While much of the SEC’s case was dismissed, this is an important case and has been controversial in the IT world because the CISO was named personally.However, it is consistent with the SEC’s treatment of Chief Compliance Officers under the Advisers Act.CCOs risk personal liability if they know about a compliance issue and try to cover it up or lie about it.The CCO may not be able to correct a risk but must be on record as identifying the risk to senior management and suggesting corrective action.Also applicable to Registered Investment Advisers is the concept of appropriate disclosures about known risks.Investors have a right to know about all material facts before they invest.
Other SEC Guidance
Risk Alert: Safeguarding Customer Records and Information at Branch Offices (April 26, 2023). In this Risk Alert applicable to broker-dealers and investment advisers, the SEC identifies greater Regulation S-P compliance violations at “branch offices” broadly defined to include any location other than a firm’s main office, including offices of any independent contractors through which the firm may offer investment products and services.The SEC found that certain policies and procedures effectively implemented at a firm’s main office are not necessarily implemented or followed at branch offices.The SEC found weaknesses in the following five areas: (i) vendor management, (ii) email configuration, (iii) data classification, (iv) access management and (v) technology risks.Firms should consider their entire organization, including branch offices, when implementing written policies and procedures for the safeguarding of customer records and information to ensure they are compliant with Regulation S-P.
Risk Alert: Observations From Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID (Dec. 5, 2022).Firms must determine and then periodically reassess whether they offer or maintain covered accounts.Many firms fail to conduct a risk assessment or establish a written identity theft prevention program. Firms also fail to conduct adequate staff training and fail to evaluate the controls of its service providers.The Risk Alert outlines the required elements of a compliant Regulation S-ID program.Just prior to the release of this Risk Alert, the SEC announced charges against three broker-dealers for violating the Identity Theft Red Flags Rule which came out in 2013 pursuant to Investment Advisers Release No. 3582 (Apr. 10, 2013).
Risk Alert: Cybersecurity: Safeguarding Client Accounts against Credential Compromise (Sep. 15, 2020). This Risk Alert highlights “credential stuffing” — a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.The SEC observed many firms have adopted policies with respect to: (i) recognized password standards such as the NIST Information Technology Laboratory; and (ii) multi-factor authentication (“MFA”) which employs multiple verification methods to authenticate a person seeking to log into an account.
SEC Cybersecurity and Resiliency Observations (Jan. 27, 2020). Issues discussed include: Governance and Risk Management; Access Rights and Controls; Data Loss Prevention; Mobile Security; Incident Response and Resiliency; Vendor Management; Training and Awareness; and Additional Resources.
Risk Alert: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features (May 23, 2019). The SEC found that practices with respect to the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage, did not always take advantage of encryption, password protection, and other security features.Weak or misconfigured security settings on a network storage device could result in unauthorized access to stored information which may raise compliance issues under Regulations S-P and S-ID.
Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (April 16, 2019). This Risk Alert details the most frequent Regulation S-P compliance issues including: (A) failure to send privacy and opt-out notices; (B) lack of written policies and procedures required by Regulation S-P; (C) or failure to implement policies reasonably designed to safeguard customer records and information such as with respect to:(i) use of personal laptops; (ii) electronic communications of unencrypted emails to customers containing PII; (iii) training and monitoring; (iv) use of unsecure networks; (v) outside vendors; (vi) PII inventory; (vii) written incident response plan; (viii) unsecure physical locations; (ix) login credentials; (x) departed employees.
Risk Alert: Observations From Cybersecurity Examinations (Aug. 7, 2017). This Risk Alert also contains a good catalogue of earlier Risk Alerts and Investment Management Guidance.It covers observations from 75 examinations.Most firms: (i) conduct periodic risk assessments of critical systems to identify cyber threats and vulnerabilities; (ii) conduct penetration tests and vulnerability scans; (iii) use systems or tools to prevent, detect, and monitor data loss (especially PII); and (iv) ensure regular system maintenance including installation of software patches.Information protection programs include policies and procedures that address cyber security, business continuity planning, Regulation S-P and Regulation S-ID.The Staff noted the following robust policies and procedures: (i) Maintenance of an inventory of data, information and vendors; (ii) detailed cybersecurity related instructions including with respect to: (a) penetration tests; (b) security monitoring and system auditing; (c) access rights for employee onboarding, changing positions or responsibilities, or termination; (d) reporting the loss, theft or inadvertent disclosure; (iii) conduct vulnerability scans and software patch management at regular intervals; establish and enforce controls to data access and systems; (iv) conduct mandatory employee training and (v) engage senior management to vet and approve policies and procedures.
Risk Alert: OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015).The SEC outlines its examination focus and will look at: (i) governance and risk assessment; (ii) access rights and controls; (iii) data loss prevention; (iv) vendor management; (v) training; and (vi) incident response.This Risk Alert also has a useful Appendix that outlines key areas of focus for each of the six main areas outlined above.
FINRA Guidance
FINRA Cybersecurity and Technology Management.
Cybersecurity and Cyber-Enabled Fraud (part of 2025 FINRA Annual Regulatory Oversight Report (Jan. 28, 2025).
NFA Guidance
NFA Cybersecurity FAQs.
NFA Self-Examination Questionnaire.
Interpretive Notice 9070 Information Systems Security Program.
Certain State Law Requirements
See Release p. 160:There are existing data breach notification requirements in all 50 States and the District of Columbia.For 46 States, a notification obligation is triggered when some type of “personal information” of a State’s resident is either accessed or acquired in an unauthorized manner.Five States require notification whenever there is unauthorized access.Twenty States have customer information safeguard requirements, and 30 States have customer information disposal requirements.
National Institute of Standards and Technology (“NIST”) US Department of Commerce
NIST Frameworks.The NIST Cybersecurity Framework (CSF) 2.0 provides a widely used framework for cybersecurity for all types of organizations.The framework consists of six functions: Govern; Identify; Protect; Detect; Respond; and Recover.