While the headquarters of brokers and advisors do a fairly good job of protecting client information, the same is not necessarily true of their branch offices.
This is the gist of the SEC Risk warning issued on Wednesday Bring companies to their attention that the cybersecurity policies and other procedures they use to protect customer data at their primary locations should extend to their branch offices. It’s the latest sign that the industry is still grappling with the ins and outs of remote work as the practice of remote work became entrenched in the industry following the COVID-19 outbreak in March 2020.
Marilyn Miles, senior vice president of regulatory services based in New York obey, indicating that the risk warning may also be in response to the increase in mergers and acquisitions in the industry in recent years. She took the notice as a sign that the SEC believes acquiring firms are not doing enough to pass on customer safeguards to the businesses they acquire.
“For example, the acquired company may have certain systems for email or filing that aren’t necessarily the systems used by the main office,” Myers said. “Now, changing all that is easier said than done. But the SEC says you need to make sure those shifts happen quickly.”
Amy Lynch, founder and president of FrontLine Compliance in Rockville, Md., agrees that the risk alert is like a warning to companies that have gobbled up smaller firms in recent years. She said the SEC’s priorities demonstrate the importance of consulting a compliance expert as early as possible whenever a merger or acquisition takes place.
“Compliance and risk management people need to be brought in at the beginning of the process,” Lynch said. “If the chief compliance officer had always had a seat in some of these situations, the issues discussed in this alert could have been immediately brought to the attention of business managers.”
The SEC’s alert did not name any companies. Attempts to contact an SEC spokesman were not immediately successful.
The Wall Street watchdog’s risk alert was issued by its exam division, which conducts Annual Review of Registered Investment Advisers and Broker-Dealers. In the SEC’s 2022 fiscal year, which ends Sept. 30, the department inspected 15 percent of the more than 15,000 RIAs in operation at the time. It also worked with the Financial Industry Regulatory Authority, the broker-dealer industry’s self-regulator, to inspect nearly half of the 3,500 federally registered brokerage firms.
Mergers and acquisitions have been tearing apart wealth management industry in recent years. For example, among registered investment advisors, 341 M&A in 2022, according to research firm Echelon Partners. This is up from 60 in 2012.
The SEC’s risk alert has drawn attention to several ways in which a company’s key executives fall short with respect to their branch locations. Many consultants have procedures in place to vet vendors they may hire to provide cybersecurity or other technology services, the regulator said. But they don’t insist that branches follow the same policy.
“This resulted in weak or misconfigured security settings on some companies’ systems and applications, which could have resulted in unauthorized access to customer records or information,” according to the alert.
This isn’t the first time the SEC has raised concerns about companies hiring third-party vendors. October, regulation propose a proposed rule This would extend the firm’s fiduciary responsibilities to anyone seeking help with cybersecurity, investment strategy, compliance and other operations.The proposal has been Warm welcome from industry advocatesmany of whom complained that it was an unnecessary burden.
Third-party vendors aren’t the only issue raised in the SEC’s latest risk alert. The watchdog also noted that some companies were not doing enough to ensure their branches took appropriate precautions against email and other technologies. For example, some major offices did not ensure that their branch offices took common cybersecurity precautions, such as requiring employees to use complex passwords and multi-factor authentication to access computer systems. Multifactor authentication typically involves at least two steps — for example, entering a password into a computer, followed by a number sent to an employee’s mobile phone.
The SEC said it witnessed instances of branch office computers running on outdated operating systems, making them vulnerable to hacking. It also found that branch offices sometimes worked with third-party vendors on their own, rather than through their headquarters, to install email systems.
“In some cases, weak email configurations have led to account takeover or corporate email compromise,” according to the alert. “In other cases, default email configurations failed to capture all account activity, preventing adequate incident response.”
Likewise, the SEC has observed deficiencies in how companies store customer records. Many major offices have record keeping procedures in place when customer records are stored in electronic format. But those policies don’t always extend to branches, according to the alert.
Cybersecurity has long been one of the SEC’s main concerns. A rule proposed by regulators in March Brokers and consultants will be given a tough 30-day deadline to report data breaches to clients. The SEC is also considering proposals that would require companies to immediately notify regulators of violations and provide detailed reports within 48 hours.