With more people working remotely than ever before in light of COVID-19, firms in the private equity and hedge fund space should review their Regulation S-P privacy and information-safeguarding policies to ensure they are compliant and ready for a prolonged period of remote work. In particular, in view of SEC guidance, firms should focus on several key areas including personal devices and personally identifiable information.
Regulation S-P (“Reg. S-P”) is the key SEC rule regarding privacy notices and safeguarding policies of registered broker-dealers, registered investment companies, and registered investment advisers. Reg. S-P does not apply to exempt reporting advisers and private funds, which are covered by the Consumer Financial Protect Bureau’s Regulation P. In the last several years, OCIE has issued several Risk Alerts (including relevant alerts in April 2019 and August 2017) providing registered advisers with guidance relating to Reg. S-P and highlighting common shortcomings and weaknesses in registered advisers’ privacy policies and procedures. Among other things, Reg. S-P requires that all registered advisers adopt written safeguarding policies and procedures that are reasonably designed to (a) ensure the security and confidentiality of customer records (which includes those of individual investors) and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Personal Devices:
The April 2019 and August 2017 OCIE Risk Alerts noted several common deficiencies with Reg. S–P compliance, including either not having policies in place or only addressing notice and opt-out provisions without mentioning safeguarding procedures. Even where firms had safeguarding policies and procedures, however, OCIE noted several common deficiencies that are highly relevant in a “work from home” world—beginning with policies governing personal electronic devices.
OCIE found that firm employees use personal electronic devices to store and maintain customer information despite a lack of clear policies and procedures on how the devices should be configured to protect this information. Employees are increasingly using their personal cellular phones and laptops for work, and now is a perfect time to make sure policies governing those devices include clear guidelines.
While Reg. S-P does not lay out specific steps to craft a robust privacy policy and guard against threats, registered advisers can take commercially available steps in the right direction. For example, registered advisers should consider:
- Requiring all employee devices to be equipped with employer-provided security software and the latest manufacturer software updates, including updating all operating systems to ensure support by security patches prior to permitting access to any of employer’s remote systems;
- Requiring multifactor authentication upon each login to a company portal; and
- Ensuring that email and messaging systems remain encrypted and secured.
Personally Identifiable Information:
OCIE’s Risk Alert also warned against improper policies toward electronic communications of personally identifiable information, or “PII.” PII can include confidential financial information and other sensitive information such as Social Security numbers or dates of birth. For example, OCIE has flagged a lack of policies and procedures designed to prevent employees from sending unencrypted emails containing personal information.
PII can be transmitted through unsecured networks, such as home networks or across the Internet in unencrypted form (e.g., between different email domains). OCIE has previously flagged policies and procedures that did not prevent employees from sending personally identifiable information to unsecured networks. Firms should revisit and revise their privacy policies to provide clear guidance regulating the transmission of personally identifiable information across unsecured networks.
Another type of unsecured transmission of PII that may occur is through popular videoconferencing platforms, such as Zoom, that have replaced in-person meetings. Among other things, platforms such as Zoom have been criticized for not using true end-to-end encryption, giving the videoconference provider (or persons who gain unauthorized access to the provider’s network) the technical ability to attend, observe, and record meetings (though Zoom recently committed to implementing end-to-end encryption for all of its users). Registered advisers should consider vetting any videoconferencing service prior to committing to it as a secure replacement for in-person meetings.
Aside from transmitting information, registered advisers must also ensure that only authorized persons have access to any PII. For example, where a registered adviser furloughs or lays off employees, OCIE warns that departed employees should not retain access rights to restricted customer information post departure.
Registered advisers can take commercially available steps to protect PII. For example, registered advisers may consider:
- Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption,
- Prohibiting use of public WiFi,
- Requiring the use of secure, password-protected home WiFi or hotspots, and
- Imposing additional credentialing with respect to the ability to download certain sensitive data.
COVID-19 has precipitated a dramatic increase in employees working remotely. The current situation provides a perfect opportunity to revisit and update important privacy policies that protect employees and clients, as well as the firms themselves.
* * *
Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take and resources to help manage ongoing operations.