On May 23, 2019, the SEC's Office of Compliance Inspections and Examinations (OCIE) published a risk alert identifying certain security risks associated with cloud-based and other network storage solutions used by investment advisers and broker-dealers for storing electronic customer records and information. OCIE's latest risk alert is intended to encourage firms to (1) review their practices, policies and procedures for storing electronic customer information and determine whether improvements are necessary; and (2) actively monitor vendors used for network storage to assess whether the services provided are sufficient to enable the firm to satisfy its regulatory obligations.
OCIE identified the following concerns that may raise compliance issues under the Safeguards Rule of Regulation S-P and the Identity Theft Red Flags Rule of Regulation S-ID:
- Misconfigured network storage solutions. Failure to adequately configure security settings on the firm's network storage solution to protect against unauthorized access--often a result of ineffective oversight at the solution's initial implementation--or failure to adopt policies and procedures addressing security configurations.
- Inadequate oversight of vendor-provided network storage solutions. Failure to ensure--through policies, procedures, contract terms or otherwise--that security settings on vendor-provided network storage solutions were configured in accordance with the firm's standards.
- Insufficient data classification policies and procedures. Policies and procedures that did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
The risk alert also includes examples of what OCIE considers effective configuration management programs, data classification procedures and vendor management programs, such as policies and procedures designed to support the initial installation, ongoing maintenance and regular review of the firm's network storage solution.
OCIE's announcement and a link to the risk alert are available at: https://www.sec.gov/ocie/announcement/risk-alertnetwork-storage