Technology Management

Regulatory Obligations

Rule 30 of SEC Regulation S-P requires firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Newly adopted amendments to Regulation S-P also address incident response programs and require customer notification in the case of unauthorized access or use of customer information. Regulation S-ID (Identity Theft Red Flags) requires firms to develop and implement a written program reasonably designed to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts."1

FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to firms’ operations. FINRA reminds firms that cybersecurity remains one of the principal operational risks facing financial entities. 

SEC Amends Regulation S-P to Enhance Protection of Customer Information

On May 16, 2024, the SEC adopted amendments to Regulation S-P intended to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information.

The amendments broaden the scope of information covered by Regulation S-P’s requirements, requiring covered institutions to, among other things:

  • develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from any unauthorized access or use of customer information;
  • notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization as soon as practicable (but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred); and      
  • have an incident response program that includes the establishment, maintenance and enforcement of written policies and procedures that are reasonably designed to require oversight, including through due diligence and monitoring, of service providers.

Larger entities must comply with the amendments by December 2, 2025, while smaller entities must comply with the amendments by June 3, 2026. FINRA recommends that all firms review the amendments to ensure they modify their cybersecurity programs, as needed, by the compliance date applicable to their firms. 

For additional information, please see the SEC’s Adopting Release and Fact Sheet concerning the Regulation S-P amendments.

Findings, Observations and Effective Practices

Findings

  • WSPs: Not updating WSPs to reflect the firm’s current cybersecurity practices; and not enforcing the firm’s WSPs related to cybersecurity. 
  • Supervision: Not establishing and maintaining a supervisory system reasonably designed to safeguard customer records and information per Regulation S-P.
  • Identity Theft Prevention Program (ITPP): Not establishing an ITPP reasonably designed to detect, prevent and mitigate identify theft per Regulation S-ID (e.g., not reviewing large volume of red flags indicating accounts were opened with stolen or false identities); and not responding appropriately to red flags the ITPP detected.
  • Inaccurate Privacy Notices: Providing customers with privacy notices that inaccurately state the extent to which the firm uses their nonpublic personal information.

Observations

  • Branch Office Security Controls: Not establishing security controls that branch offices must follow when they maintain their own email systems or other application systems or servers; and not detecting and responding when a branch office is not compliant with established security controls for maintaining a branch-hosted email or application server.
  • Third-Party Vendor Supply Chain Management: Not maintaining a list of all third-party services, or third-party-provided hardware and software components, that the firm’s technology infrastructure uses.
  • Data Loss Prevention (DLP): Not monitoring network activity to identify unauthorized copying or deletion of customer or firm data, and not monitoring outbound emails to identify sensitive customer data in text or attachments. 
  • Log Management Practices: Not sufficiently logging or retaining data related to business or technical activities to effectively assist with the forensic analysis of cybersecurity incidents (e.g., determining the entry point and scope of an attack).
  • ITPP: Implementing a generic ITPP that is not appropriate for the firm’s size, complexity, and the nature and scope of the firm’s activities, and not periodically updating the firm’s ITPP to reflect changes in identify theft risks.
  • SAR Filings: Not having reasonably designed procedures for investigating cybersecurity events and considering whether a SAR filing is required, consistent with applicable guidance from FinCEN. 

Effective Practices

  • Account Access Authentication: Requiring multi-factor authentication (MFA) for login access to the firm’s operational, email and registered representatives’ systems for employees, contractors and customers, and using tools to identify potential unauthorized access to the firm’s internal and customer-facing systems.
  • Data Backups: Completing regular backups of critical data and systems, and ensuring the backup copies are encrypted and stored off-network; and regularly testing the recovery of data from backups to ensure information can be restored from backup systems.
  • Third-Party Vendor Management: Maintaining a list of all third-party-provided services, systems and software components that can be leveraged to assess firm impact in the event of a cybersecurity incident at one of the firm’s third-party vendors. 
  • Branch Office Procedures: Limiting the use of branch-managed servers for email or other applications (e.g., customer relationship management, reporting) and, if branch-managed servers are permitted, ensuring adequate security controls are maintained. 
  • Risk Assessments: Regularly assessing the firm’s cybersecurity risk profile based on changes in the firm’s size and business model and newly identified threats; and regularly updating the firm’s cybersecurity program and AML program based on those assessments.
  • Secure Configurations: Confirming that desktops, laptops and servers are using current software systems with secure settings that expose only required services to reduce system vulnerabilities; and implementing timely application of systems security patches, especially those addressing known vulnerabilities that are actively being exploited by threat actors.
  • Digital Transformation and the Adoption of Cloud: Planning and design process used when adopting cloud-based systems or technology to ensure adequate preparation.
  • Log Management: Capturing log data from a broad set of sources and retaining it for a sufficient amount of time (e.g., a minimum of 24 months).
  • IT Resiliency: Implementing and testing firm controls to ensure established acceptable service levels are maintained during disruption of critical business operations relying on IT systems. 

Additional Resources

Previous:
Third-Party Risk Landscape
Up:
Technology Management
Next:
Outside Business Activities and Private Securities Transactions

1 See 17 CFR 248.201(b)(3), which defines “covered account” as: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.