SEC Risk Alert: Safeguarding Customer Records and Information at Branch Offices

On April 26, 2023, the U.S. Securities and Exchange Commission’s Division of Examinations issued a Risk Alert to highlight the importance of establishing written policies and procedures for safeguarding customer records and information at branch offices.  This includes broker-dealers and investment advisers with a main office and multiple smaller, or “branch” offices.  The Risk Alert discusses several instances where a firm’s main office will implement safeguarding policies and procedures, however, these firms will fail to adopt or implement written policies and procedures that address safeguards for their branch offices, notwithstanding the existence of the same or similar risks.   The Risk Alert observes this has resulted in these branch offices falling victim to cybersecurity and data breaches.  The Risk Alert identifies common issues the Staff has identified in this area, including the following.

Vendor Management

The Staff observed branch offices often failed to perform proper due diligence and oversight of their vendors as required by the firms’ own policies and procedures.  In some of these instances, firms did not provide any guidance or recommendations to assist branch offices in the selection of vendors.  The Staff found this resulted in weak or misconfigured security settings on systems and applications, which could result in unauthorized access to customer records or information.

Email Configuration

The Staff found firms lacked policies and procedures addressing branch office email configurations.  Branch office personnel would be allowed to obtain their own email services from vendors without specifying the technical requirements necessary to secure the branch offices’ email solution.  Weak email configuration can result in account takeover or business email compromise.  At some firms, default email configuration failed to capture all account activity, resulting in the inability to perform adequate responses to incidents.

Data Classification

The Staff found many firms exhibit appropriate data classification policies and procedures to identify where customer records and information were stored electronically.  However, firms did not always apply these policies and procedures to a branch office.

Access Management

Similar to its observations around data classification, the Staff found firms appropriately maintain policies and procedures requiring password complexity and multi-factor authentication for remote access to firm systems.  Although some firms required these controls for the main office, they did not require such controls for branch offices.

Technology Risk

Finally, the Staff observed many firms appropriately focus on technology risk by implementing written policies and procedures for inventory management, patch management, and vulnerability management. Again, the Staff found firms did not always apply these policies and procedures to their branch offices.  This led to branch offices not being up-to-date with system patching.  The Staff also found some firms were not aware of the systems running on the branch office networks, and some branch offices were running end of life operating systems, which may not receive proper security updates and may no longer be serviced by its vendor.  These issues may cause branch office systems to be at increased risk of compromise.

In light of the Risk Alert, firms should review their entire organization, including branch offices, when implementing written policies and procedures for the safeguarding of customer records and information to ensure they are compliant with Regulation S-P.  Firms should ensure applicable policies are being implemented at branch offices, along with their main office.  You may access the full SEC alert at

Contact Us Today

We will show you how FiSolve will position your firm to grow its assets and bolster its processes.