In their latest cybersecurity crackdown, the Securities and Exchange Commission (SEC) sanctioned eight firms for failures in their policies and procedures. The SEC found that each of the firms “violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.”

Specifically, the Safeguards Rule requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

Guidelines to Keep Customer Data Protected

To help ensure sure your organization doesn’t find itself in the hot seat when it comes to protecting customer data, we’ve put together three fundamental guidelines.

  1. Ensure your PSPs are functional and operational. Many organizations write Policies, Standards, and Procedures (PSPs) that they aspire to, but have not yet put into action. For example, a firm’s written policy could require users to have 12-character passwords that are changed every six months. If that firm currently uses 8-character passwords and they’re only updated annually, then the policy is not functional or operational. When written policies don’t match what’s actually in place, firms can find themselves in hot water when the time comes for an audit or an exam. Even worse? None of their policies have been implemented, or they don’t have a policy statement at all.
  2. Evolve your safeguards. As the threat landscape evolves, so should your PSPs. At a minimum, they should be reviewed annually. Safeguards should also be reevaluated after any major cyber event–especially if the event was relevant to the technology or types of data protected or used by your firm, i.e., SolarWinds.
  3. Consider your triggers. Changes in workflows, processes, or providers naturally introduce risk and create opportunities for the bad guys to infiltrate your systems. Examples of these triggers include onboarding a new email system, switching from Amazon Web Services to Microsoft Azure, or working with a new fund administrator. These changes offer organizations the opportunity to review its PSPs and workflows in order to make sure they’re adequate and continue to be effective once the change has been implemented.

Next Steps

Our clients are obligated to protect confidential customer information. In order to do so, they must be able to demonstrate that the proper safeguards are in place, they’re tested regularly, adjusted when triggered, and evidenced.

Under Agio’s SEC Cybersecurity Governance Program, firms are covered when it comes to meeting and exceeding SEC requirements. If you have questions about your existing cyber-governance framework and want to talk to one of our cybersecurity experts, contact us.