On May 23, 2019, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert to summarize frequent mistakes and effective practices by broker-dealers and investment advisers relating to the storage of clients’ data. In particular, OCIE warned that issues relating to cloud storage arose even when firms had cybersecurity measures for their data storage because firms did not utilize the available security features.
Regulations S-P and S-ID require registered broker-dealers and investment advisers to, amongst other things, protect customer information by adopting written policies and procedures and developing an identity theft prevention program. However, OCIE noted three common issues among firms:
- Firms misconfigured their network solutions so that their policies and procedures, as well as the security settings for cloud services themselves did not adequately protect against unauthorized access.
- Through any variety of means, firms did not adequately oversee the configuration of network settings for vendor-provided network storage.
- Firms’ policies and procedures failed to adequately identify the different types of data stored electronically and so firms failed to develop appropriate controls for the data.
In its Risk Alert, OCIE did provide several examples of steps some firms are successfully taking to help mitigate the risks of utilizing on-site or cloud storage of customer information:
- Policies and procedures designed to support the (a) initial installation, (b) on-going maintenance, and (c) regular review of the network storage solution.
- Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly.
- Vendor management policies and procedures that include regular implementation of software patches and hardware updates followed by reviews of the updates.
In light of OCIE’s warnings in the Risk Alert, registered broker-dealers and investment advisers should consider reviewing their relevant policies and procedures as well as the security controls for their data services in order to comply with Regulations S-P and S-ID.
Good Day. DR2.