Although brokers' and advisors' main offices are doing a fairly good job of safeguarding client information, the same can't be necessarily said for their branch offices.
That's the thrust of a Securities and Exchange Commission
Marilyn Miles, the senior vice president regulatory services at New York-based
"The acquired firms may have certain systems they use for email or archiving, for instance, and those are not necessarily what the main offices are using," Miles said. "Now, changing all that over is easier said than done. But the SEC is saying you need to make sure these transitions are happening quickly."
Amy Lynch, the founder and president of FrontLine Compliance in Rockville, Maryland, agreed the risk alert is likey a warning to companies that have gobbled up smaller firms in recent years. She said the SEC's priorities show the importance of consulting compliance experts early on whenever a merger or acquisition is afoot.
"Compliance and risk management staff need to be brought in at the beginning of the process," Lynch said. "If the chief compliance officer always had a seat at the table in some of these situations, then the issues discussed in this alert could be brought to the attention of business managers immediately."
The SEC's alert doesn't list any firms by name. Attempts to reach an SEC spokesperson weren't immediately successful.
The Wall Street regulator's risk alert was issued by its Division of Examinations, which conducts
Mergers and acquisitions have been on a tear in the
The SEC's risk alert draws attention to several ways in which firms' main officers are falling short with their branch locations. The regulator said many advisors have procedures in place to vet vendors they might hire to provide cybersecurity or other technological services. But they aren't insisting branch offices abide by the same policies.
"This resulted in weak or misconfigured security settings on systems and applications at some firms, which could result in unauthorized access to customer records or information," according to the alert.
This isn't the first time the SEC has shown concerns about firms' employment of third-party vendors. In October, the regulator
Third-party vendors weren't the only cause for concern noted in the SEC's latest risk alert. The regulator also pointed out that some firms weren't doing enough to make sure their branch offices were taking proper precautions with email and other technology. Some main offices, for instance, weren't making sure their branches were taking common cybersecurity precautions, such as requiring employees to use complex passwords and multifactor authentication to access computer systems. Multifactor authentication usually consists of at least two steps — typing a password into a computer, for instance, and then entering a number sent to an employee's mobile phone.
The SEC said it witnessed instances in which branch offices' computers were running on obsolete operating systems, leaving them vulnerable to hacking. It also found that branches at times had worked with third-party vendors on their own, and not through their home offices, to install email systems.
"In some instances, weak email configuration resulted in account takeover or business email compromise," according to the alert. "In other instances, default email configuration failed to capture all account activity, resulting in the inability to perform adequate incident response."
Similarly, the SEC observed that firms were falling short with their storage of customer records. Many main offices have procedures for documenting when client records are stored in an electronic format. But those policies, according to the alert, aren't always being extended to branch offices.
Cybersecurity has long been one of the SEC's primary concerns.