M&A boom drives SEC concerns about planners' branch offices

The SEC is one of several regulators charged with the first phase of a joint rulemaking for the Financial Data Transparency Act.

Although brokers' and advisors' main offices are doing a fairly good job of safeguarding client information, the same can't be necessarily said for their branch offices.

That's the thrust of a Securities and Exchange Commission risk alert released Wednesday putting firms on notice that the cybersecurity policies and other procedures they use to protect customer data in their main locations should be extended to their branches. It's the latest sign that the industry continues to struggle with the ins and outs of remote work as the practice became entrenched in the industry following the outbreak of COVID-19 in March 2020.

Marilyn Miles, the senior vice president regulatory services at New York-based COMPLY, said the risk alert also likely comes in response to the increase in mergers and acquisitions in the industry in recent years. She takes the notice as a sign that the SEC thinks acquiring firms are not doing enough to pass on their client safeguards to the businesses they are buying.

"The acquired firms may have certain systems they use for email or archiving, for instance, and those are not necessarily what the main offices are using," Miles said. "Now, changing all that over is easier said than done. But the SEC is saying you need to make sure these transitions are happening quickly."

Amy Lynch, the founder and president of FrontLine Compliance in Rockville, Maryland, agreed the risk alert is likey a warning to companies that have gobbled up smaller firms in recent years. She said the SEC's priorities show the importance of consulting compliance experts early on whenever a merger or acquisition is afoot.

"Compliance and risk management staff need to be brought in at the beginning of the process," Lynch said. "If the chief compliance officer always had a seat at the table in some of these situations, then the issues discussed in this alert could be brought to the attention of business managers immediately."

The SEC's alert doesn't list any firms by name. Attempts to reach an SEC spokesperson weren't immediately successful.

The Wall Street regulator's risk alert was issued by its Division of Examinations, which conducts annual reviews of both registered investment advisors and broker-dealers. In the SEC's 2022 fiscal year, ended on Sept. 30, the division examined 15% of the more than 15,000 RIAs then in business. It also worked with the Financial Industry Regulatory Authority, the broker-dealer industry's self-regulator, to inspect nearly half of the 3,500 federally registered brokerages.

Mergers and acquisitions have been on a tear in the wealth management industry in recent years. Among registered investment advisors, for instance, there were 341 M&As in 2022, according to the research firm Echelon Partners. That was up from 60 in 2012.

The SEC's risk alert draws attention to several ways in which firms' main officers are falling short with their branch locations. The regulator said many advisors have procedures in place to vet vendors they might hire to provide cybersecurity or other technological services. But they aren't insisting branch offices abide by the same policies.

"This resulted in weak or misconfigured security settings on systems and applications at some firms, which could result in unauthorized access to customer records or information," according to the alert.

This isn't the first time the SEC has shown concerns about firms' employment of third-party vendors. In October, the regulator put forward a proposed rule that would extend firms' fiduciary responsibilities to any company enlisted for help with cybersecurity, investment strategies, compliance and other operations. The proposal has been greeted with little enthusiasm from industry advocates, many of whom have complained it will prove unnecessarily burdensome. 

Third-party vendors weren't the only cause for concern noted in the SEC's latest risk alert. The regulator also pointed out that some firms weren't doing enough to make sure their branch offices were taking proper precautions with email and other technology. Some main offices, for instance, weren't making sure their branches were taking common cybersecurity precautions, such as requiring employees to use complex passwords and multifactor authentication to access computer systems. Multifactor authentication usually consists of at least two steps — typing a password into a computer, for instance, and then entering a number sent to an employee's mobile phone.

The SEC said it witnessed instances in which branch offices' computers were running on obsolete operating systems, leaving them vulnerable to hacking. It also found that branches at times had worked with third-party vendors on their own, and not through their home offices, to install email systems.

"In some instances, weak email configuration resulted in account takeover or business email compromise," according to the alert. "In other instances, default email configuration failed to capture all account activity, resulting in the inability to perform adequate incident response."

Similarly, the SEC observed that firms were falling short with their storage of customer records. Many main offices have procedures for documenting when client records are stored in an electronic format. But those policies, according to the alert, aren't always being extended to branch offices.

Cybersecurity has long been one of the SEC's primary concerns. A rule the regulator proposed in March would give brokers and advisors a hard 30-day deadline to report data breaches to clients. The SEC is also considering proposals that would require firms to inform regulators of breaches immediately and provide detailed reports within 48 hours.

For reprint and licensing requests for this article, click here.
Regulation and compliance Corporate governance Independent advisors Regulatory reform RIAs Risk management
MORE FROM FINANCIAL PLANNING