Safeguards Rule - Protection of Customer Information

Compliance leaders often treat the Safeguards Rule as “the cybersecurity policy requirement.” Examiners treat it as something narrower and more demanding: a written safeguards program that is demonstrably implemented across people, process, and technology for customer records and information. The regulatory text is short, which creates a practical problem. You need to translate a single sentence into a security program that covers governance, access, monitoring, secure handling, and physical protection, then prove it runs consistently.

Operationalizing 17 CFR § 248.30 starts with scope. Define what “customer records and information” means in your environment, where it lives, and which business processes create, access, transmit, store, or dispose of it. Then map safeguards to those flows: administrative safeguards (ownership, training, oversight), technical safeguards (identity, access control, encryption, logging), and physical safeguards (facility controls, media handling, shredding, device disposal). Finally, build an evidence set that ties your policies to system settings, workflows, tickets, logs, and third-party oversight.

This page is written for a CCO, Compliance Officer, or GRC lead who needs requirement-level implementation guidance you can put into motion immediately, including step-by-step actions, required artifacts, and exam-ready questions.

Regulatory text

Regulatory requirement (excerpt): “Every broker, dealer, and investment adviser registered with the Commission shall adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” (17 CFR § 248.30)

Operator meaning (what you must do):

1. Adopt written policies and procedures (not just a high-level policy) that describe how your firm protects customer records and information. (17 CFR § 248.30)
2. Ensure those documents explicitly cover three safeguard categories: administrative, technical, and physical. (17 CFR § 248.30)
3. Treat the requirement as an operating program: if your controls are not implemented, measured, and evidenced, the “written policies and procedures” will not hold up in an exam. (17 CFR § 248.30)

Plain-English interpretation (requirement-level)

You must run an information security program for customer information that is:

• Documented: written policies and procedures exist, are approved, current, and accessible. (17 CFR § 248.30)
• Complete across safeguard types: the documents and the controls cover people/process governance (administrative), system protections (technical), and facilities/media protections (physical). (17 CFR § 248.30)
• Aligned to customer data reality: it covers how customer information is collected, used, shared, stored, and disposed, including what happens at third parties. (17 CFR § 248.30)

Who it applies to

Entity scope:

• Broker-dealers registered with the SEC. (17 CFR § 248.30)
• Investment advisers registered with the SEC. (17 CFR § 248.30)
• The text also references “broker” and “dealer” as covered entities. (17 CFR § 248.30)

Operational scope (where it bites):

• Any process or system that stores or processes customer records and information (CRM, portfolio/account systems, email and chat, file shares, case management, cloud storage, endpoints, backups, data warehouses). (17 CFR § 248.30)
• Third parties that create, receive, maintain, transmit, or can access customer records and information (administrators, cloud providers, managed service providers, document shredding, call centers, outsourced trading ops). You remain accountable for safeguards in your operating model. (17 CFR § 248.30)

What you actually need to do (step-by-step)

Use this sequence to go from “policy exists” to “exam-ready program.”

1) Define and document scope of customer information

• Create a data scope statement: what you treat as customer records and information, where it resides, and which business units handle it. (17 CFR § 248.30)
• Produce or update a system inventory and tag systems that store/process customer information. (17 CFR § 248.30)
• Identify key data flows: onboarding, trading/portfolio management, reporting, customer support, billing, marketing communications, offboarding and record retention/disposal. (17 CFR § 248.30)

Output: “Customer Information Scope & System Map” (document) tied to your inventories.

2) Adopt written policies and procedures mapped to the three safeguard classes

Build a single “Safeguards Rule program” binder (virtual is fine) that points to the underlying policies/procedures. Ensure each safeguard class is clearly addressed. (17 CFR § 248.30)

Administrative safeguards (people + governance):

• Ownership (named roles), approval authority, exception handling.
• Workforce access processes (joiner/mover/leaver), training expectations, disciplinary approach.
• Third-party oversight approach for customer data access. (17 CFR § 248.30)

Technical safeguards (systems + controls):

• Identity and access management standards.
• Authentication requirements, privileged access approach.
• Logging/monitoring expectations, vulnerability and patch handling, encryption standards where applicable. (17 CFR § 248.30)

Physical safeguards (facilities + media):

• Office access controls, visitor management, secure areas.
• Secure printing, paper file storage, media handling, secure disposal and device wiping. (17 CFR § 248.30)

Tip for speed: write a “Safeguards Rule Control Matrix” that lists each policy/procedure and the control evidence it creates.

3) Translate policies into control owners, routines, and proof

Policies fail in exams when “IT does it” is the only answer. Assign owners and operational cadences.

• Assign a control owner for each safeguard area (administrative, technical, physical). (17 CFR § 248.30)
• Create runbooks for recurring activities (access reviews, termination access removal, logging review, incident triage, secure disposal). (17 CFR § 248.30)
• Define evidence sources (tickets, configuration snapshots, reports, logs, training rosters, vendor due diligence files). (17 CFR § 248.30)

4) Implement third-party controls where customer information is shared

Treat third-party access as part of your safeguard perimeter. Practical minimums:

• Maintain a list of third parties with customer data access and the data types involved. (17 CFR § 248.30)
• Require contractual commitments aligned to your safeguards program (security requirements, confidentiality, incident reporting expectations, disposal/return). Keep it consistent with your written procedures. (17 CFR § 248.30)
• Perform due diligence before onboarding and reassess periodically, with heightened scrutiny for high-access providers (managed IT, cloud hosting, transfer agents, outsourced operations). (17 CFR § 248.30)

Where Daydream fits: many teams lose time chasing artifacts across procurement, security, and business owners. A third-party risk workflow in Daydream can centralize the third-party inventory, due diligence requests, evidence collection, and exception tracking so your Safeguards Rule documentation stays tied to operational proof.

5) Prove physical safeguards, not just cybersecurity

Exams often surface gaps here because teams focus on logical controls.

• Confirm badge/access logs exist for controlled areas (as applicable). (17 CFR § 248.30)
• Document secure disposal: shredding bins, certified destruction (if used), device wipe procedures, chain of custody for retired assets. (17 CFR § 248.30)
• Address remote work: workstation locking, secure storage of printed customer information, guidance for home printing and disposal. (17 CFR § 248.30)

6) Establish governance: approvals, exceptions, and updates

• Get formal approval for the safeguards policies and procedures and keep prior versions. (17 CFR § 248.30)
• Create an exception process (risk acceptance) so deviations are documented, time-bound, and approved. (17 CFR § 248.30)
• Update the program after meaningful business or technology changes (new systems, acquisitions, new third-party models). (17 CFR § 248.30)

Required evidence and artifacts to retain

Keep artifacts that prove both “written” and “operating” safeguards. Typical exam-ready evidence set:

• Written Safeguards Rule policies and procedures, with approval history and versioning. (17 CFR § 248.30)
• Customer information scope document, system inventory, and data flow map. (17 CFR § 248.30)
• Administrative: training materials and completion records; access provisioning and termination tickets; role definitions and responsibility assignments. (17 CFR § 248.30)
• Technical: access control configurations (screenshots/exports), privileged access workflows, logging/monitoring records, vulnerability/patch evidence, encryption standards and settings where implemented. (17 CFR § 248.30)
• Physical: facility access procedures, visitor logs where applicable, clean desk/secure printing guidance, disposal certificates (if used), device wipe records. (17 CFR § 248.30)
• Third-party: inventory of third parties with customer data, due diligence packages, contracts/security addenda, exceptions and remediation tracking. (17 CFR § 248.30)

Common exam/audit questions and hangups

Expect questions framed as “show me,” not “tell me.”

• “Show me the written policies and procedures that cover administrative, technical, and physical safeguards.” (17 CFR § 248.30)
• “Which systems contain customer records and information, and who owns them?” (17 CFR § 248.30)
• “How do you control and review access to customer information, including privileged access?” (17 CFR § 248.30)
• “How do you oversee third parties that can access customer information? Show due diligence and contract requirements.” (17 CFR § 248.30)
• “How do you securely dispose of customer information in paper and electronic forms?” (17 CFR § 248.30)

Hangup to plan for: teams can describe technical controls but cannot connect them back to written procedures and owned routines.

Frequent implementation mistakes and how to avoid them

1. Mistake: treating the policy as the control.
   Fix: attach each policy statement to an operating procedure and an evidence source (ticket type, report, log, register). (17 CFR § 248.30)

2. Mistake: forgetting physical safeguards.
   Fix: build a short physical control checklist for each office/site and for remote work practices; collect proof (photos are fine if permitted; logs and procedures are better). (17 CFR § 248.30)

3. Mistake: no scoped inventory of customer information.
   Fix: maintain a living inventory of systems and third parties that touch customer records and information, and review it after system changes. (17 CFR § 248.30)

4. Mistake: third-party oversight limited to a questionnaire.
   Fix: define what “acceptable” means in writing (required controls, incident reporting expectations) and document follow-up on gaps and exceptions. (17 CFR § 248.30)

5. Mistake: policies don’t match reality.
   Fix: sample-test a few high-risk processes (new user provisioning, terminated user removal, secure disposal) against your written procedures and correct the documents or the process. (17 CFR § 248.30)

Enforcement context and risk implications

The provided source catalog includes the rule text but no public enforcement case references for citation in this page. What you can assume operationally: failure modes tend to center on weak access control, incomplete third-party oversight, lack of written procedures that match operations, and inability to produce evidence of ongoing safeguards. The risk is both customer harm (exposure of customer records and information) and regulatory findings tied directly to the written-safeguards requirement. (17 CFR § 248.30)

Practical execution plan (30/60/90-day)

First 30 days (stabilize scope and documents)

• Publish a scoped definition of customer records and information and identify in-scope systems and third parties. (17 CFR § 248.30)
• Gather existing policies/procedures; identify gaps against administrative/technical/physical safeguards. (17 CFR § 248.30)
• Stand up a single control matrix mapping each safeguard requirement to an owner, procedure, and evidence source. (17 CFR § 248.30)

Days 31–60 (make controls provable)

• Convert key controls into repeatable routines: access provisioning/termination, logging review, vulnerability handling, secure disposal handling, third-party onboarding checks. (17 CFR § 248.30)
• Start evidence capture “as you operate” (tickets, reports, approvals) rather than retroactive collection. (17 CFR § 248.30)
• Identify high-risk third parties with customer data access and prioritize due diligence and contract alignment. (17 CFR § 248.30)

Days 61–90 (test, remediate, and govern)

• Perform a tabletop walk-through: pick representative customer-data workflows and trace policy → procedure → evidence for each. (17 CFR § 248.30)
• Remediate the top gaps (access control inconsistencies, missing logs, unclear ownership, weak disposal practices, third-party exceptions). (17 CFR § 248.30)
• Formalize ongoing governance: exception approvals, periodic review of inventories, and policy refresh triggers after major changes. (17 CFR § 248.30)

Frequently Asked Questions

Does “written policies and procedures” mean one document or many?

The rule requires written policies and procedures that address administrative, technical, and physical safeguards, but it does not prescribe document structure. Keep one mapped “Safeguards Rule program” index that points to the underlying policies and runbooks so you can produce them quickly. (17 CFR § 248.30)

How do I define “customer records and information” in practice?

Define it operationally by data types and locations: account documents, identifiers, statements, communications, and any derived datasets tied to customers across systems and third parties. Then maintain a system/third-party inventory that marks where that data is stored or accessible. (17 CFR § 248.30)

What’s the minimum an examiner will expect for third-party oversight?

Expect to show that you know which third parties access customer information, that you conducted due diligence, and that contracts set security and confidentiality expectations consistent with your written procedures. Keep evidence of follow-up on gaps and exceptions. (17 CFR § 248.30)

We’re mostly cloud-based. Do physical safeguards still matter?

Yes. Physical safeguards still apply to your offices, endpoints, paper handling, and media/device disposal. If a third party handles physical media or printing, include that in your third-party oversight scope. (17 CFR § 248.30)

How do I prove safeguards are operating without drowning in screenshots?

Use repeatable evidence sources: access review exports, ticket reports for joiner/mover/leaver actions, log review attestations, disposal certificates, and vendor due diligence packages. Tie each to a control in a matrix so you can produce evidence on request. (17 CFR § 248.30)

What should I do if our written procedures don’t match how IT actually works?

Fix the mismatch quickly. Either revise the procedure to accurately describe the control that is operating, or change the process to meet the written procedure; then document approval and keep the prior version for audit trail. (17 CFR § 248.30)