The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert warning that investment advisers and broker-dealers “[do] not always use the available security features” on various network storage components, including cloud-based solutions, and that their failure to do so may allow unauthorized access to their customers’ personal data. OCIE also described weak or misconfigured security settings that it identified during recent examinations that could raise compliance issues under Regulations S-P and S-ID (requiring investment advisers and broker-dealers to adopt written policies and procedures designed to protect customer records and information and implement a written identity theft prevention program, respectively).
In general, examination results indicated that most network storage solutions offered encryption and password protection, among other security measures, but that these were not always used. More specifically, OCIE staff identified the following issues:
- Misconfigured security settings on network storage solutions and lack of policies and procedures setting forth the security configuration of some firms’ network storage solutions.
- Inadequate oversight of vendor-provided network storage solutions by certain firms, resulting in vendor network storage solutions not being configured according to such firms’ internal standards.
- Insufficient data classification policies and procedures and lack of appropriate controls for each type of data.
In light of these deficiencies, OCIE encouraged registrants to implement a configuration management program that includes policies and procedures covering data classification, vendor oversight and security features. In the event registrants already have such a program in place, they should consider whether it requires any improvements. OCIE also urged investment advisers and broker-dealers to actively oversee the services provided by third-party network storage vendors to ensure that investment advisers and broker-dealers comply with their regulatory responsibilities.
OCIE provided several examples of what an effective program should contain in practice, such as policies and procedures designed to support the initial installation, ongoing maintenance and regular review of the network storage solution; guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and vendor management policies and procedures that include regular implementation of software patches and hardware updates, followed by reviews to ensure that those patches and updates did not unintentionally change, weaken or otherwise modify the security configuration.
This guidance indicates that the SEC requires proof of good governance practices with respect to information management, from the initial installation of network storage solutions to the maintenance and review of such network storage solutions. Simply put, well-written policies should be flexible enough to account for evolving cyberthreats, proportional to the importance of the information being stored and effective even if the storage solution is provided by a third party.
Registrants should note that this announcement comes on the heels of another OCIE risk alert pertaining to the adoption of privacy guidelines. In that alert, OCIE reminded registrants of their obligations under the Safeguards Rule of Regulation S-P to inform customers of such registrants’ privacy policies and practices, and to ensure that these policies and practices are up to date.