Compliance

Avoidable Errors, Enduring Lessons: What the SEC’s Lost Gensler Texts Teach the Rest of Us

September 09, 2025by Tiffany Magri
SUBSCRIBE TO BLOG

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].

TL;DR: SEC OIG Report 587 found avoidable IT and governance errors erased nearly a year of former SEC Chair Gary Gensler’s texts. Financial firms should harden capture, retention/WORM, change MDM control, and logging to prevent similar recordkeeping failures.

Key takeaways:

  • Device automation + rushed resets can permanently erase records
  • “Inactive device” policies need backup and legal-hold guardrails
  • Logs are essential to prove capture/retention and enable RCA
  • Bans alone push staff to shadow channels; regulators will still fine
  • Design programs end-to-end: capture, retention, supervision and search

On September 3, 2025, the SEC Office of Inspector General (OIG) issued Report No. 587 detailing how automated mobile-device policies, weak change controls, missing logs, and a rushed factory reset erased nearly a year of former SEC Chair Gary Gensler’s text messages (Oct 18, 2022 – Sept 6, 2023). The loss underscores a truth financial firms know all too well: records are fragile when governance gaps exist.

The OIG found that Gensler’s device had not been backed up for nearly a year. An “inactive device” policy triggered a remote wipe, and in an effort to restore the device quickly, IT staff performed a factory reset that permanently deleted text messages and logs. The SEC later removed texting from agency devices, notified the National Archives of lost records, and promised stronger safeguards. But the lessons extend far beyond one agency.

Why this matters for financial services

  • Records aren’t channel-specific. Broker-dealers and RIAs must preserve business communications regardless of the medium under SEC Rule 17a-4 and Advisers Act Rule 204-2. If a channel is used but not captured, firms inherit legal and regulatory risk.
  • Deletion risk isn’t always malicious. At the SEC, automation and rushed troubleshooting— not intent — caused loss. Firms face the same risk if mobile device management (MDM), data loss prevention (DLP), or device refresh processes erase records without backup and legal hold guardrails.
  • “Ban and pray” doesn’t work. The SEC’s texting ban reduced one risk but raised another: employees turning to personal or shadow channels. Regulators have repeatedly fined firms for off-channel communications, with billions in penalties since 2021.
  • Regulators expect completeness and speed. Firms must show records are preserved in WORM-compliant format, searchable, and produced quickly. Gaps or delays draw scrutiny.

What happened (and what it illustrates)

  • Silent disconnects matter. Gensler’s phone stopped checking in with the MDM but was still in use. Automated “inactive” logic treated it as stale, leading to deletion. Many firms rely on similar triggers without backup assurance.
  • Change control is governance. A poorly vetted “emergency” policy change caused cascading failure. In compliance terms, any technological change must be assessed for its impact on recordkeeping.
  • Logs are your lifeline. Missing or deleted logs made root-cause analysis impossible. In financial services, logs are critical to prove capture, retention, and supervision were working.

Smarsh perspective: Program design beats point fixes

From our work with global financial firms, three truths stand out:

  1. Capture must follow the conversation. Employees use what’s easiest. Compliance requires native-quality capture across email, SMS, WhatsApp, Slack, Teams, Zoom Chat, LinkedIn, and more — plus a clear intake process for new channels that emerge.
  2. Retention + supervision + search are one motion. It’s not enough to retain messages. You need retention aligned to SEC 17a-4, robust supervision, legal hold, and fast, defensible production.
  3. Security can’t quietly delete records. MDM and other security tools must be integrated with compliance processes. No device wipe or app removal should proceed without confirming backups, logs, and record retention.

Practical blueprint for firms

  • Govern channels, don’t just block them. Provide approved, monitored options for mobile and collaboration messaging. Shadow channels thrive in the absence of workable tools.
  • Protect executives and high-risk roles. Enforce enhanced backup schedules, no-wipe-without-approval policies, and change control for senior users.
  • Harden change control. Add recordkeeping impact reviews to any IT change that may affect communications or storage.
  • Detect silent failures. Monitor for capture errors, connector outages, and inactive device alerts, escalating high-risk cases immediately.
  • Log like your case depends on it. Aggregate device and capture logs in a SIEM and keep them long enough to support investigations and audits.
  • Practice for a bad day with a tabletop exercise. Walk through gap analysis, reconstruction, notifications, and regulatory posture — then fix what the exercise reveals.
  • Document your design choices. Map each channel to capture method, retention rule, supervision control, and e-discovery path. Keep evidence packs current for exams and investigations.

The bottom line

The SEC’s loss of Chair Gensler’s texts is more than an IT mishap. It is a case study in fragile recordkeeping when security and compliance are not tightly integrated. For financial services firms, the parallels are clear: avoidable errors become regulatory failures if capture, retention, supervision, and logging aren’t designed end-to-end.

How Smarsh can help

With Smarsh, firms can capture the full conversation across channels, preserve it immutably, supervise it effectively, and prove it when regulators come calling. That’s how you avoid turning avoidable errors into billion-dollar lessons.

Frequently asked questions (FAQ)

Featured content icon

FEATURED GUIDE

Create an Unstoppable Mobile Compliance Strategy

Get Guide

Share this post!

Tiffany Magri
Latest posts by Tiffany Magri (see all)
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

CONTACT US

FEATURED CONTENT

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work
CONTACT SALES

More Resources

financial office stock broker dealer featured img
Fall 2025 Financial Conferences Reveal the Rules That Will Shape 2026
by Robert Cruz
on November 14, 2025
Read more
nav about tab leadership
When Policies Fail, People Pay — Personal Liability Is Back
by Tiffany Magri
on November 13, 2025
Read more
wiw enterprise conduct hero
APIs Activated: Turning Communications Data Into Business-Critical Insights
by Tom Padgett
on November 10, 2025
Read more

Contact Us

Tell us about yourself, and we’ll be in touch right away.

icon-angle icon-bars icon-times