Another reminder for you. (This was discussed at the April conference, too.)
Your contracts with third parties, such as payroll services, clearing firms and, of course, ESM (electronic storage media) providers, should have some language about safeguarding customer information. FINRA seems to be enforcing this in anticipation of final approval/effectiveness of amendments to Regulation S-P. Here’s a summary of the related change in that SEC rule:
Currently, Section 30(a) of Regulation S-P requires institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information.
Amendments to Reg. S-P would require firms to develop “information security programs” that would require firms to, among other things:
“oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing).”
The term “service provider” would mean any person or entity that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person subject to the rule.
Reasonable steps to evaluate the information safeguards of service providers could include the use of third-party review of those safeguards such as a Statement of Auditing Standards No. 70 (“SAS 70”) report, a SysTrust report or a WebTrust report. (This is straight from the SEC release—it seems geared towards large firms; small firms will have to determine which ‘reasonable steps’ are practical, affordable and effective.)
See http://www.sec.gov/rules/proposed/2008/34-57427.pdf for the SEC’s proposed amendment from last year.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment