On April 26, 2023, the SEC’s Division of Examinations issued a risk alert to remind registered broker-dealers and investment advisers of the importance of implementing policies and procedures to safeguard customer records and other information at branch offices. The “safeguards rule” of Regulation S-P requires registered broker-dealers and advisers to adopt written policies and procedures addressing administrative, technical and physical safeguards to protect customer records and information. These policies and procedures must be reasonably designed to keep customer records and information secure and confidential, protect against anticipated threats to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records and information that could result in substantial harm or inconvenience to customers. In the risk alert, the staff indicated that although many firms have implemented policies and procedures to meet these requirements at their main offices, some firms have not done so at branch offices, thereby exposing customers to risk.

In the risk alert, the staff noted the following observations relative to the implementation of the safeguards rule at firms’ branch offices:

• The staff observed firms that failed to ensure that branch offices performed proper due diligence and oversight of vendors that provide services such as cybersecurity, technology operations and business applications. As a result, branch office systems and applications had weak or misconfigured security settings that exposed customer records and information to unauthorized access.

• The staff observed firms that did not manage e-mail accounts for branch offices and that had no policies and procedures to address branch office e-mail configurations, resulting in situations in which branch offices could obtain their own e-mail services from vendors without being subject to firm-imposed security requirements. The staff observed weak e-mail configurations at branch offices that led to accounts being compromised or that failed to capture all account activity, leading to poor incident response capabilities.

• The staff observed firms that did not consistently apply to their branch offices policies and procedures relative to data classification to identify where customer records and information should be stored electronically, resulting in failures to identify and control customer records and information.

• The staff observed firms that did not enforce controls requiring complex passwords and multi-factor authentication for remote access to systems at branch offices, leading to security breaches.

• The staff observed branch offices with out-of-date systems as a result of the failure to apply firm policies and procedures on inventory management, patch management and vulnerability management. The staff also observed firms that were unaware of the systems running on the networks of their branch offices. As a result, branch offices were exposed to greater technology risk and more susceptible to system compromises.

The risk alert is available here.