OCIE Issues Risk Alert Regarding the Safeguarding of Customer Records and Information in Network Storage
On May 23, 2019, the Office of Compliance Inspections and Examinations (“OCIE”) of the SEC issued a risk alert (the “Risk Alert”) to provide investment advisers and broker-dealers with information regarding common deficiencies in recent examinations with respect to security risks associated with the storage of electronic customer records and information in various network-storage solutions, including the electronic storage of information on infrastructure owned and operated by a hosting company or service provider (“cloud storage”). According to the Risk Alert, OCIE examiners identified the following concerns that may raise compliance issues under Regulations S-P and S-ID:
- Misconfigured network storage solutions. In some cases, firms did not adequately configure settings on their network storage solution to prevent unauthorized access or did not have policies and procedures addressing the security configuration of their network storage solution.
-
Inadequate oversight of vendor-provided network storage solutions. In some cases, firms did not implement policies, procedures, or contractual provisions to appropriately configure security settings on vendor-provided network storage solutions.
- Insufficient data-classification policies and procedures. In some cases, firms’ policies and procedures did not appropriately identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
In addition, the Risk Alert lists several features of effective configuration-management programs, data-classification procedures, and vendor-management programs observed by OCIE, including:
-
Policies and procedures designed to support the installation, maintenance, and review of the network storage solution;
-
Guidelines for security controls and baseline security configuration standards; and
- Vendor management policies and procedures that address regular software patch and hardware updates and review.
Feature:ESMA Regulatory Developments