Skills
skills/joellewis/finance_skills/privacy-data-security

privacy-data-security

SKILL.md

Privacy and Data Security

Purpose

Guide the design, implementation, and operation of privacy and data security programs for SEC-registered investment advisers, broker-dealers, investment companies, and other financial services firms. This skill covers Regulation S-P (privacy of consumer financial information), Regulation S-ID (identity theft prevention), SEC cybersecurity rules and examination expectations, incident response requirements, state privacy law intersections, vendor and third-party risk management, data governance, and employee training obligations.

Layer

9 — Compliance & Regulatory Guidance

Direction

prospective

When to Use

  • Designing or reviewing a firm's written information security program under the Reg S-P Safeguards Rule
  • Drafting or updating initial and annual privacy notices under Reg S-P
  • Evaluating whether the firm qualifies for the FAST Act annual privacy notice exception
  • Building an Identity Theft Prevention Program under Reg S-ID (Red Flags Rule)
  • Preparing for an SEC cybersecurity-focused examination
  • Responding to a data breach or cybersecurity incident affecting customer NPI
  • Assessing vendor and third-party service provider data security arrangements
  • Determining state breach notification obligations across multiple jurisdictions
  • Designing data classification, access control, and encryption policies
  • Evaluating compliance with New York DFS 23 NYCRR 500 cybersecurity requirements
  • Implementing employee training programs for privacy and cybersecurity awareness
  • Reviewing cloud service provider arrangements for SEC examination readiness
  • Assessing whether a cybersecurity incident triggers SAR filing obligations

Core Concepts

Regulation S-P (Privacy of Consumer Financial Information)

Regulation S-P (17 CFR Part 248, Subparts A and B) implements Title V of the Gramm-Leach-Bliley Act (GLBA) for entities registered with the SEC. It applies to SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. The regulation has three core components:

Privacy Notice Requirements. Firms must provide an initial privacy notice to each customer at the time of establishing the customer relationship (17 CFR 248.4). The notice must describe: (a) categories of nonpublic personal information (NPI) collected, (b) categories of NPI disclosed to third parties, (c) categories of affiliates and nonaffiliated third parties to whom NPI is disclosed, (d) the customer's right to opt out of certain disclosures, (e) the firm's policies and practices for protecting confidentiality and security of NPI, and (f) any disclosures required under the Fair Credit Reporting Act. Annual privacy notices must be delivered once during each 12-month period for the duration of the customer relationship (17 CFR 248.5). The FAST Act of 2015 (Pub. L. 114-94, Section 75001) created an exception to the annual notice requirement: firms that (i) share NPI only under the exceptions in 17 CFR 248.14 and 248.15, and (ii) have not changed their privacy policies and practices since the most recent notice, may satisfy the annual requirement by posting the privacy notice continuously on their website in a clear and conspicuous manner rather than mailing it to each customer.

Opt-Out Requirements. Before sharing NPI with nonaffiliated third parties, firms must provide customers with a reasonable opportunity to opt out (17 CFR 248.7 and 248.10). The opt-out notice must be clear, conspicuous, and delivered along with or as part of the privacy notice. Exceptions to the opt-out requirement include: (a) disclosures necessary to effect, administer, or enforce a transaction requested by the customer, (b) disclosures to service providers and joint marketing partners under written contractual agreements that restrict the third party's use of NPI, (c) disclosures with customer consent, (d) disclosures to protect against fraud, and (e) disclosures required by law (17 CFR 248.14 and 248.15). Joint marketing agreements must include written contracts specifying that the third party will maintain the confidentiality of NPI and will use it only for the purposes for which it was disclosed.

Safeguards Rule. Section 248.30 requires every covered institution to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Administrative safeguards include designating a responsible employee or officer, conducting risk assessments, implementing employee training, and establishing oversight of service providers. Technical safeguards include access controls, encryption, intrusion detection systems, and monitoring of information systems. Physical safeguards include secure storage of records, controlled access to facilities, and proper disposal of documents. The policies must be reasonably designed to: (a) ensure the security and confidentiality of customer records and information, (b) protect against anticipated threats or hazards to the security or integrity of such records, and (c) protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to the customer.

Disposal Rule. Section 248.30(b) requires proper destruction of consumer report information derived from consumer reports. Reasonable measures for disposal include shredding physical documents, erasing or destroying electronic media, and entering into contracts with third-party disposal services that require proper destruction.

Regulation S-ID (Red Flags Rule)

Regulation S-ID (17 CFR 248.201-202) implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) for SEC-regulated entities. It requires financial institutions and creditors that hold "covered accounts" to develop and implement a written Identity Theft Prevention Program (ITPP) designed to detect, prevent, and mitigate identity theft.

Covered Accounts. Two categories of accounts are covered: (a) accounts primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions (e.g., brokerage accounts, margin accounts, advisory accounts with ongoing services), and (b) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Identity Theft Prevention Program Requirements. The ITPP must include reasonable policies and procedures to: (1) identify relevant red flags applicable to the firm's covered accounts, drawing from five categories of red flags — alerts, notifications, or warnings from consumer reporting agencies; suspicious documents; suspicious personal identifying information; unusual use of or suspicious activity related to a covered account; and notices from customers, victims of identity theft, law enforcement, or other persons regarding possible identity theft — (2) detect red flags that have been incorporated into the program, (3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft, and (4) ensure the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the firm.

Administration. The ITPP must be approved by the board of directors, a committee of the board, or senior management (17 CFR 248.201(d)). Ongoing administration includes: assigning specific responsibility for the program's implementation, training staff to carry out the program, exercising appropriate and effective oversight of service provider arrangements (ensuring that service providers' activities in connection with covered accounts are conducted in accordance with reasonable policies and procedures to detect, prevent, and mitigate identity theft), and ensuring the program is updated as necessary.

SEC Cybersecurity Rules and Guidance

The SEC has addressed cybersecurity through a combination of rulemaking, interpretive guidance, and enforcement.

Public Company Disclosure Rules (2023). In July 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents on Form 8-K (Item 1.05) within four business days of determining that an incident is material. Companies must also disclose their cybersecurity risk management, strategy, and governance on Form 10-K (Item 1C of Regulation S-K). Required disclosures include: processes for assessing, identifying, and managing cybersecurity risks; whether cybersecurity risks have materially affected or are reasonably likely to materially affect the company's business strategy, results of operations, or financial condition; the board of directors' oversight of cybersecurity risk; and management's role in assessing and managing cybersecurity risks.

Registered Entity Cybersecurity Expectations. For SEC-registered investment advisers and broker-dealers, the SEC has not adopted a standalone cybersecurity rule as of this skill's compilation. However, the SEC enforces cybersecurity obligations through existing authority, principally the Reg S-P Safeguards Rule (17 CFR 248.30), the books-and-records rules (SEC Rule 17a-4, IA Act Rule 204-2), and the general antifraud provisions. The SEC proposed rules in February 2022 (Release Nos. 33-11028, 34-94382, IA-5956) that would require registered investment advisers and funds to adopt and implement written cybersecurity policies, report significant cybersecurity incidents to the SEC on a new confidential form, and disclose cybersecurity risks and incidents to clients and investors. While these proposals had not been adopted in final form as of the current law, they signal the direction of SEC rulemaking, and firms should evaluate their programs against the proposed requirements.

SEC EXAMS (formerly OCIE) Examination Priorities. Cybersecurity has been a top SEC examination priority since 2014. Key areas examined include: governance and risk assessment (board or senior management oversight, CISO or equivalent role, documented risk assessments), access rights and controls (least privilege, multi-factor authentication, access logging, prompt deprovisioning of terminated employees), data loss prevention (monitoring for unauthorized data transfers, encryption at rest and in transit, endpoint protection), vendor management (due diligence on third-party service providers, contractual security requirements, ongoing monitoring), incident response (written plans, testing and tabletop exercises, escalation procedures), and training (frequency, content, phishing simulation results).

SEC Enforcement. The SEC has brought enforcement actions against registered firms for cybersecurity failures under Reg S-P's Safeguards Rule and under the Identity Theft Red Flags Rule. Notable enforcement themes include: failure to implement written policies and procedures for protecting customer information, insufficient access controls (e.g., allowing shared credentials, failing to implement multi-factor authentication), failure to detect and respond to known vulnerabilities, and misleading disclosures about cybersecurity practices following a breach.

Incident Response Requirements

Regulatory expectations require financial firms to maintain comprehensive incident response capabilities.

Written Incident Response Plan. The SEC expects registered firms to maintain a written incident response plan that includes: designation of an incident response team with clear roles and escalation authority; procedures for detecting and classifying incidents by severity; containment procedures to limit the scope and impact of an incident; evidence preservation protocols (forensic imaging, log retention, chain of custody documentation); eradication and recovery procedures; internal escalation and reporting timelines (to senior management, the board, legal counsel, and the compliance department); external notification procedures (to customers, regulators, and law enforcement as required); and a post-incident review process to identify root causes and remediation actions.

Customer Notification. There is no general federal SEC breach notification requirement for investment advisers or broker-dealers as of current law. However, state breach notification laws apply in all 50 states, the District of Columbia, and U.S. territories, and they impose varying notification obligations depending on the types of data compromised, the number of individuals affected, and the state in which the affected individual resides. Most states require notification within 30 to 60 days of discovery; some states, such as Florida (30 days under Fla. Stat. 501.171) and Colorado (30 days under C.R.S. 6-1-716), impose shorter deadlines. Firms operating in multiple states must comply with the notification requirements of each state where affected individuals reside, which often means complying with the most restrictive standard.

Regulatory Notification. While there is no general SEC breach reporting rule for advisers and broker-dealers, certain circumstances may trigger reporting obligations: (a) if the breach involves potential financial crime, SAR filing obligations under BSA/AML rules may apply; (b) FINRA expects member firms to notify FINRA of significant cybersecurity incidents; (c) New York DFS-regulated entities must notify DFS within 72 hours of a cybersecurity event that has a reasonable likelihood of materially harming normal operations (23 NYCRR 500.17); and (d) the SEC's proposed cybersecurity rules would, if adopted, require significant incident reporting to the SEC.

Law Enforcement Coordination. Firms should establish relationships with relevant law enforcement agencies (FBI, Secret Service, state attorneys general) before an incident occurs. In the event of a breach, law enforcement may request a delay in public notification to avoid compromising an investigation; firms should work with counsel to balance this request against state breach notification deadlines.

SAR Filing. If a cybersecurity incident involves or is connected to potential financial crime — for example, unauthorized access leading to theft of funds, account takeovers, or identity theft used to facilitate fraudulent transactions — the firm must evaluate whether a Suspicious Activity Report should be filed under its BSA/AML obligations. The SAR should describe the cybersecurity incident, the nature of the suspected criminal activity, and the impact on customer accounts.

State Privacy Laws

Financial firms face a layered regulatory environment where federal securities privacy rules intersect with state privacy and cybersecurity legislation.

California (CCPA/CPRA). The California Consumer Privacy Act (Cal. Civ. Code 1798.100 et seq.), as amended by the California Privacy Rights Act (effective January 1, 2023), grants California residents broad rights over their personal information, including rights to know, delete, correct, and opt out of the sale or sharing of personal information. Financial institutions are partially exempt from the CCPA/CPRA to the extent they are subject to the GLBA and collect, process, sell, or disclose personal information pursuant to GLBA. However, the exemption applies only to information collected, processed, sold, or disclosed subject to GLBA — information outside the GLBA's scope (e.g., employee data, website tracking data, marketing data) may still be subject to CCPA/CPRA. Firms must carefully analyze which data falls within the GLBA exemption and which does not.

New York (DFS 23 NYCRR 500). The New York Department of Financial Services cybersecurity regulation applies to all entities operating under or required to operate under a DFS license, registration, or charter, or that are otherwise DFS-regulated. This includes many broker-dealers and investment advisers operating in New York. Key requirements include: designation of a Chief Information Security Officer (CISO); establishment and maintenance of a cybersecurity program based on a risk assessment; written cybersecurity policies covering 14 specified areas (information security, data governance and classification, asset inventory, access controls, business continuity, systems and network security, monitoring, incident response, vendor management, encryption, and others); annual penetration testing and bi-annual vulnerability assessments; multi-factor authentication for accessing internal networks from an external network; encryption of NPI both in transit and at rest; 72-hour notification to DFS of material cybersecurity events (23 NYCRR 500.17); annual written certification of compliance by the board or senior officer (23 NYCRR 500.17(b)); and a requirement that CISOs report in writing at least annually to the board or senior governing body. DFS has actively enforced 23 NYCRR 500 through consent orders and civil penalties.

Massachusetts (201 CMR 17.00). Massachusetts Standards for the Protection of Personal Information require every entity that owns, licenses, stores, or maintains personal information of Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP). Required elements include: designation of a responsible employee, risk assessment, employee training, monitoring of the program, discipline for violations, prevention of terminated employees from accessing records, service provider oversight, restrictions on physical access, monitoring of systems for unauthorized access, encryption of transmitted records containing personal information, encryption of all personal information stored on laptops and portable devices, use of reasonably up-to-date firewall and operating system security patches, and use of up-to-date malware protection.

Multi-State Compliance. Firms with customers in multiple states must track and comply with each state's privacy and data breach notification laws. Key variations include: the definition of "personal information" triggering notification obligations (some states include broader categories such as biometric data, health information, or online account credentials); notification deadlines (ranging from 30 days to "reasonable" without a specified limit); notification content requirements; requirements to notify the state attorney general or other state agency; and requirements to provide credit monitoring or identity theft protection services. Maintaining a breach notification matrix that maps state-by-state requirements is a best practice for multi-state firms.

Vendor and Third-Party Risk Management

SEC and FINRA expect registered firms to exercise diligent oversight of service providers with access to customer data, information systems, or critical business functions. The principle that outsourcing does not outsource compliance responsibility is fundamental — the firm remains accountable for the security of customer data regardless of where the data is processed or stored.

Due Diligence Before Engagement. Before engaging a vendor with access to customer NPI or critical systems, firms should assess the vendor's information security posture, including: the vendor's written information security policies and procedures, SOC 2 Type II audit reports (or equivalent), business continuity and disaster recovery capabilities, incident response procedures and history, use of subcontractors and sub-processors, data center security (physical and logical), encryption practices, access control mechanisms, employee screening and training, and financial stability.

Contractual Protections. Contracts with service providers should include: confidentiality obligations covering all customer NPI and proprietary data; minimum information security standards (referencing recognized frameworks such as NIST CSF, ISO 27001, or SOC 2 criteria); breach notification requirements (specifying the vendor must notify the firm within a defined period, typically 24 to 72 hours, of discovering a security incident affecting the firm's data); the firm's right to audit the vendor's security practices and to receive audit reports; requirements for prompt return or destruction of data upon contract termination; restrictions on the vendor's use of the firm's data for purposes beyond the contracted services; provisions addressing the vendor's use of subcontractors, including the firm's right to approve or be notified of material subcontracting; indemnification for losses arising from the vendor's security failures; and the firm's right to terminate the contract for material security deficiencies.

Ongoing Monitoring. Due diligence is not a one-time exercise. Firms should: review updated SOC reports or equivalent assessments annually, conduct periodic security questionnaires or assessments, monitor the vendor for reported security incidents or regulatory actions, review the vendor's business continuity and disaster recovery testing results, and reassess the vendor's risk profile if there are material changes to the services provided, the data accessed, or the vendor's ownership or financial condition.

Cloud Service Provider Considerations. The SEC has issued risk alerts specifically addressing cloud security (SEC EXAMS Risk Alert, January 2020). Key expectations include: understanding the shared responsibility model (the cloud provider secures the infrastructure; the firm secures its data and configurations within the cloud); proper configuration of cloud storage to prevent unauthorized public access; strong identity and access management for cloud environments; encryption of data at rest and in transit within cloud services; logging and monitoring of cloud environment activity; and understanding the cloud provider's data residency, backup, and disaster recovery practices.

Concentration Risk. Regulators have expressed concern about concentration risk when multiple firms rely on the same critical service providers. Firms should assess whether the failure of a key vendor would create systemic risk, maintain business continuity plans that address vendor failure scenarios, and consider diversification of critical services where practicable.

Data Governance for Financial Firms

Effective data governance provides the operational framework for meeting privacy and security regulatory requirements.

Data Classification. Firms should classify data based on sensitivity and regulatory requirements. A common taxonomy includes: (a) Public — information intended for public distribution (marketing materials, publicly filed regulatory documents), (b) Internal — information for internal use that would not cause significant harm if disclosed (general correspondence, internal procedures), (c) Confidential — information whose unauthorized disclosure could cause harm to the firm or its clients (customer account information, trade data, financial projections), and (d) Restricted — the most sensitive information requiring the highest level of protection (Social Security numbers, account credentials, consumer report information, material nonpublic information). Classification drives the application of access controls, encryption, monitoring, and disposal requirements.

Access Controls. The principle of least privilege requires that employees, systems, and service providers receive only the minimum access necessary to perform their functions. Role-based access control (RBAC) assigns permissions based on job function rather than individual identity, facilitating consistent enforcement and efficient provisioning and deprovisioning. Segregation of duties prevents any single individual from having end-to-end control over a process that could facilitate fraud or unauthorized access. Access reviews should be conducted at least annually, and more frequently for privileged accounts.

Encryption. Data encryption should be applied both at rest (stored data) and in transit (data moving across networks). At rest, full-disk encryption, database encryption, and file-level encryption are common approaches. In transit, TLS 1.2 or higher should be used for all communications containing NPI. Encryption key management — including key generation, storage, rotation, and destruction — must be addressed in the firm's security policies.

Data Retention and Destruction. Financial firms must balance data minimization principles with books-and-records retention requirements. SEC Rule 17a-4 (broker-dealers) and IA Act Rule 204-2 (investment advisers) impose specific retention periods for various categories of records, typically ranging from 3 to 6 years depending on the record type. Data should be retained for the longest applicable retention period and securely destroyed when the retention period expires. Destruction methods must render data unrecoverable: shredding for physical media, cryptographic erasure or physical destruction for electronic media.

Data Loss Prevention (DLP). DLP systems monitor and control the movement of sensitive data within and outside the firm. Common DLP controls include: monitoring email and web traffic for NPI patterns (e.g., Social Security numbers, account numbers), blocking unauthorized transfers of sensitive files to external destinations (USB drives, personal email, cloud storage), monitoring print activity for sensitive documents, and generating alerts for anomalous data movement patterns. DLP controls should be calibrated to the firm's data classification scheme.

Monitoring and Logging. Firms should maintain comprehensive logs of access to sensitive systems and data, including: user authentication events (successful and failed), access to customer account records, changes to access permissions, data exports and transfers, and system administrator activities. Logs must be retained for a sufficient period to support incident investigation and regulatory examination (SEC examiners frequently request 12 to 24 months of access logs). Automated alerting should be configured for anomalous activity patterns, such as after-hours access, access from unusual locations, or bulk data downloads.

Employee Training and Awareness

Regulators expect all employees to receive privacy and security training, with the scope and depth tailored to the employee's role and access level.

Regulatory Foundation. The Reg S-P Safeguards Rule requires firms to include employee training as part of their written information security policies. FINRA Regulatory Notice 21-18 emphasizes cybersecurity practices for member firms, including the importance of employee awareness and training. New York DFS 23 NYCRR 500.14 specifically requires regular cybersecurity awareness training for all personnel.

Training Content. Effective training programs should cover: the firm's privacy and information security policies and procedures; the types of NPI the firm collects and the regulatory requirements for protecting it; recognizing and reporting social engineering attacks, including phishing, spear-phishing, vishing (voice phishing), smishing (SMS phishing), pretexting, and business email compromise (BEC); physical security practices, including visitor management, secure areas, and clean desk policies; proper use of email, internet, and removable media; mobile device security and bring-your-own-device (BYOD) policies; password management and multi-factor authentication; procedures for reporting suspected security incidents, including whom to contact and what information to provide; and consequences of policy violations, including disciplinary action and potential regulatory liability.

Phishing Simulation. Firms should conduct periodic phishing simulation exercises to test employee awareness. Results should be tracked, and employees who fail simulations should receive additional targeted training. SEC examiners have requested phishing simulation results and click-through rates during cybersecurity examinations.

Training Frequency and Documentation. Training should be conducted at least annually, with supplemental training when significant new threats emerge or when the firm's policies change materially. New employees should receive training during onboarding before receiving access to customer NPI. All training must be documented, including the date, attendees, topics covered, and materials used. Documentation should be retained for a minimum of 5 years to satisfy examination and audit requirements.

Role-Specific Training. Employees with elevated access or specific security responsibilities — including IT staff, compliance personnel, executive management, and employees with administrative system privileges — should receive additional training tailored to their roles, covering advanced threat detection, incident response procedures, and regulatory expectations for their specific functions.

Worked Examples

Example 1: Departing Employee Downloads Client NPI to Personal USB Drive

Scenario: An SEC-registered investment adviser discovers during a routine access review that a recently departed portfolio manager downloaded a file containing client NPI — including names, Social Security numbers, dates of birth, and account values for 850 clients — to a personal USB drive on the employee's last day of employment. The firm's IT team identifies the transfer through endpoint monitoring logs. The employee has already left the firm and started at a competing RIA. Compliance Issues:

  • The Reg S-P Safeguards Rule (17 CFR 248.30) requires written policies and procedures to protect against unauthorized access to customer records. The firm must evaluate whether its existing controls were adequate to prevent this type of exfiltration and whether its policies were followed.
  • If the firm's policies prohibited personal USB device use or required DLP controls blocking the transfer of files containing NPI to removable media, a failure to enforce those policies is itself a Safeguards Rule deficiency.
  • If the firm lacked such policies, the absence constitutes a potential Safeguards Rule violation, as the policies must be reasonably designed to protect against unauthorized access.
  • State breach notification laws are triggered because Social Security numbers were compromised. The firm must determine the states of residence of all 850 affected clients and comply with each applicable state law's notification requirements.
  • Several states — including California (Cal. Civ. Code 1798.82), Massachusetts (M.G.L. c. 93H, Section 3), and New York (N.Y. Gen. Bus. Law 899-aa) — require notification to both the affected individuals and the state attorney general. Notification timelines vary but are typically 30 to 60 days from discovery.
  • The firm should evaluate whether the departing employee's actions constitute potential financial crime (theft of trade secrets, identity theft facilitation, or misuse of client information for competitive solicitation), which may warrant a SAR filing under BSA/AML obligations. Analysis: The firm should immediately take the following steps: (1) Preserve all evidence of the data transfer, including endpoint monitoring logs, the employee's access logs, and any records of the files accessed or copied. (2) Engage legal counsel to assess state breach notification obligations and to manage attorney-client privilege over the investigation. (3) Contact the former employee and the competing firm through counsel to demand the return or certified destruction of all client data, supported by a forensic certification that no copies remain. (4) Conduct a forensic analysis of the former employee's workstation and access history to determine whether additional data was compromised. (5) Notify affected clients as required by applicable state laws, providing information about the nature of the data compromised, the steps the firm is taking, and resources for credit monitoring or identity theft protection (several states require the firm to offer credit monitoring at no cost). (6) Report the incident to senior management and the board (or equivalent governing body) for oversight. (7) Evaluate whether existing access controls should be strengthened — for example, implementing or enforcing USB port blocking, DLP controls preventing NPI transfer to removable media, and enhanced monitoring during employee offboarding periods. (8) Document all remediation actions, as SEC examiners will expect to see evidence that the firm identified the root cause and implemented corrective measures.

Example 2: Third-Party Vendor Ransomware Attack Exposes Customer Data

Scenario: A mid-sized broker-dealer uses a third-party portfolio accounting vendor to process and store customer account data for approximately 15,000 accounts. The vendor notifies the firm that it has experienced a ransomware attack in which threat actors exfiltrated data before encrypting systems. The vendor's initial assessment indicates that the exfiltrated data may include customer names, addresses, account numbers, Social Security numbers, and account holdings. The firm's customers reside in 38 states. The vendor's notification arrives 10 days after the vendor discovered the incident. Compliance Issues:

  • The firm's Reg S-P Safeguards Rule obligations extend to its oversight of service providers. The firm is required to have written policies and procedures addressing service provider oversight, including contractual protections and ongoing monitoring (17 CFR 248.30).
  • The firm must evaluate the adequacy of its vendor management program: Did the contract require the vendor to notify the firm within a specified period (e.g., 24 to 72 hours)? A 10-day delay may indicate a contractual gap or a vendor breach of its contractual obligations. Did the firm conduct due diligence on the vendor's security posture before engagement? Did the firm review the vendor's SOC reports or equivalent assessments? Did the contract include audit rights, subcontractor controls, and indemnification?
  • If the firm is DFS-regulated, 23 NYCRR 500.17 requires notification to DFS within 72 hours of determining that a cybersecurity event has occurred that has a reasonable likelihood of materially harming normal operations — this includes incidents at third-party service providers that affect the firm's customer data.
  • State breach notification laws are triggered for all 38 states where customers reside. The firm — not the vendor — is typically the entity with the customer relationship and thus bears the notification obligation (though the vendor may have independent notification obligations in some states).
  • FINRA expects member firms to notify FINRA of significant cybersecurity incidents. A breach affecting 15,000 customer accounts with Social Security numbers is significant.
  • The firm must assess whether the incident has triggered the SEC's proposed incident reporting requirements (if adopted) or, in any case, whether the incident is material for purposes of the firm's own regulatory filings and disclosures. Analysis: The firm should activate its incident response plan and take the following actions: (1) Engage external cybersecurity counsel and a forensic investigation firm to assess the scope of the compromise independently of the vendor's assessment. (2) Demand from the vendor: a detailed incident timeline, forensic investigation reports, confirmation of the specific data compromised, the vendor's remediation steps, and evidence that the attack vector has been closed. (3) Begin mapping state-by-state breach notification requirements for all 38 states. Assign the most restrictive deadline (likely 30 days from the firm's discovery) as the target for all notifications to ensure compliance across jurisdictions. (4) Prepare customer notification letters that comply with the content requirements of each applicable state, providing the nature of the compromised data, the firm's response actions, and information about credit monitoring services (the firm should provide credit monitoring at its expense for affected customers). (5) Notify DFS within 72 hours if the firm is subject to 23 NYCRR 500. (6) Notify FINRA of the incident. (7) Evaluate whether the breach resulted in or facilitated any unauthorized transactions, account takeovers, or other potential financial crime, and file SARs as appropriate. (8) Reassess the vendor relationship: review the contract for breach provisions and indemnification rights, consider whether the vendor's security practices are adequate for continued engagement, and document the reassessment. (9) Report the incident and remediation actions to the board or senior management, and update the firm's written information security program to address any gaps revealed by the incident. (10) Retain all documentation of the incident, investigation, notifications, and remediation for examination and audit purposes.

Example 3: SEC Examination Focused on Cybersecurity

Scenario: An SEC-registered investment adviser with $5 billion in AUM receives an examination notification letter from the SEC Division of Examinations. The document request list includes cybersecurity as a focus area, requesting production of the firm's written information security policies, incident response plan, vendor assessments, access control documentation, employee training records, and board or management reporting on cybersecurity. Compliance Issues:

  • The examination will test the firm's compliance with the Reg S-P Safeguards Rule, which requires written policies and procedures for administrative, technical, and physical safeguards.
  • If the firm is subject to Reg S-ID, examiners may also request the firm's Identity Theft Prevention Program and evidence of its implementation.
  • SEC examiners will assess not only the existence of written policies but their actual implementation, testing, and updating — a policy that exists on paper but is not followed is a deficiency.
  • Common SEC examination deficiency findings related to cybersecurity include: lack of a comprehensive written information security policy; policies that have not been updated to reflect current threats, technology, or business practices; insufficient access controls (e.g., shared passwords, failure to implement multi-factor authentication, failure to decommission access promptly upon employee departure); lack of a written incident response plan or failure to test the plan through tabletop exercises; insufficient vendor due diligence documentation (no SOC reports, no security questionnaires, no contractual protections); inadequate employee training records (no evidence of training, training not conducted annually, no phishing simulation program); failure to conduct periodic risk assessments; failure to encrypt NPI at rest and in transit; and insufficient board or senior management oversight (no regular reporting on cybersecurity risks, no board-level engagement). Analysis: To prepare for the examination, the firm should: (1) Assemble all responsive documents before the production deadline, including the written information security policy, risk assessments, incident response plan, vendor management policies and individual vendor assessments (SOC reports, security questionnaires, contracts with security provisions), access control documentation (user access lists, privileged account inventories, access review records, MFA implementation evidence), employee training materials and attendance records for at least the prior two years, phishing simulation results, incident logs (even if no material incidents occurred — examiners want to see the logging process), board or management committee meeting minutes reflecting cybersecurity discussions and reporting, and any third-party penetration testing or vulnerability assessment reports. (2) Conduct a gap analysis against SEC examination expectations before the examination begins. Identify any deficiencies and begin remediation immediately — examiners view active remediation favorably, even if the deficiency exists. (3) Prepare the CISO, CCO, and relevant IT and compliance personnel for examination interviews. Examiners will ask questions about how policies are implemented in practice, how incidents are escalated, how vendors are monitored, and how the firm stays current with evolving threats. (4) Review recent SEC EXAMS risk alerts and deficiency letters related to cybersecurity to anticipate the examination team's areas of focus. (5) Ensure that the firm's written policies are current and accurately reflect the firm's actual practices — a material gap between written policy and actual practice is a significant deficiency. (6) Document the firm's remediation of any prior examination findings, internal audit findings, or self-identified deficiencies.

Common Pitfalls

  • Treating the Reg S-P Safeguards Rule as a documentation exercise rather than an operational requirement — written policies must be implemented, tested, and updated, not merely drafted and filed
  • Assuming the FAST Act annual privacy notice exception applies without verifying that the firm shares NPI only under permitted exceptions and has not changed its privacy policies since the last notice
  • Failing to conduct a covered account analysis under Reg S-ID — firms sometimes assume that only banks have covered accounts, but brokerage accounts and advisory accounts with ongoing transactions qualify
  • Implementing an Identity Theft Prevention Program at the time of initial adoption but never updating it, even as the firm's customer base, products, and threat landscape change
  • Treating vendor due diligence as a one-time onboarding exercise rather than an ongoing monitoring obligation — a SOC report from three years ago does not satisfy current diligence expectations
  • Including security standards in vendor contracts but never exercising audit rights or reviewing compliance with those standards
  • Relying on a vendor's notification of a breach as the sole trigger for the firm's incident response — the firm has an independent obligation to monitor for and detect security incidents
  • Failing to map multi-state breach notification obligations before an incident occurs, resulting in delayed or non-compliant notifications under compressed timelines
  • Not distinguishing between data subject to the GLBA exemption from CCPA/CPRA and data that falls outside the exemption — employee data, website analytics, and marketing data may not be covered by the GLBA exemption
  • Implementing encryption for data in transit but neglecting encryption at rest, or vice versa
  • Failing to decommission system access promptly when employees depart — SEC examiners routinely check for active accounts belonging to former employees as an indicator of access control weaknesses
  • Treating employee cybersecurity training as a compliance checkbox rather than an effective awareness program — annual slide decks without phishing simulations, role-specific content, or measurable outcomes are increasingly viewed as inadequate
  • Maintaining incident response plans that have never been tested through tabletop exercises or simulations — untested plans frequently fail under the pressure of an actual incident
  • Assuming that outsourcing data processing or storage to a cloud provider eliminates the firm's regulatory responsibility for data security — the shared responsibility model requires the firm to secure its own configurations, access controls, and data within the cloud environment

Cross-References

  • client-disclosures (Layer 9): The Reg S-P privacy notice is a required client disclosure document; its content, delivery timing, and the FAST Act exception are addressed in the client-disclosures skill
  • books-and-records (Layer 9): Data retention and destruction requirements under privacy regulations must be reconciled with books-and-records retention rules under SEC Rule 17a-4 and IA Act Rule 204-2
  • know-your-customer (Layer 9): KYC data — including Social Security numbers, dates of birth, addresses, and identification documents — constitutes NPI requiring protection under Reg S-P and is a primary target for identity theft under Reg S-ID
  • anti-money-laundering (Layer 9): Cybersecurity incidents involving unauthorized account access, funds theft, or identity theft may trigger SAR filing obligations under BSA/AML requirements
  • examination-readiness (Layer 9): Cybersecurity is consistently among the SEC Division of Examinations' top examination priorities; cybersecurity document requests, interview topics, and common deficiency findings are central to examination preparation
  • conflicts-of-interest (Layer 9): Information barriers, access controls, and data segregation policies serve dual purposes — preventing misuse of material nonpublic information and protecting customer NPI from unauthorized internal access
Weekly Installs
15
Repository
joellewis/finance_skills
GitHub Stars
12
First Seen
Feb 19, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
gemini-cli15
opencode15
github-copilot14
codex14
amp14
kimi-cli14