During recent examinations, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) identified security risks associated with the storage of electronic customer records and information by broker/dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage.
These risks are outlined in a Risk Alert published recently by the OCIE. Such publications are often issued by the SEC when emerging systematic risk is observed among advisers and brokers, effectively serving as a guide to help with compliance and a warning that SEC inspections staff will be focused on this issue in upcoming reviews.
Summarizing the matter, the Risk Alert states that, while the majority of these cloud-based network storage solutions offer encryption, password protection, and other security features designed to prevent unauthorized access, examiners observed that firms did not always use the available security features.
“Weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device,” the Risk Alert says.
According to SEC staff, some firms’ lax practices in this area could be violating Regulations S-P and S-ID. In particular, SEC staff is concerned that advisers and brokers are using “misconfigured” network storage solutions.
“In some cases, firms did not adequately configure the security settings on their network storage solution to protect against unauthorized access,” the Risk Alert wars. “In addition, some firms did not have policies and procedures addressing the security configuration of their network storage solution. Often, misconfigured settings resulted from a lack of effective oversight when the storage solution was initially implemented.”
The Risk Alert goes on to state that inadequate oversight of vendor-provided network storage solutions is also troublingly common. In some cases, SEC says, firms did not ensure, through policies, procedures, contractual provisions, or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards.
Another broad issue identified by the SEC examiners is insufficient data classification policies and procedures. In some cases, firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
“The implementation of a configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help to mitigate the risks incurred when implementing on-premises or cloud-based network storage solutions,” the Risk Alert says.
During recent reviews, OCIE staff has also observed several features of effective configuration management programs, data classification procedures, and vendor management programs.
“These include policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution; guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration,” the Risk Alert says.
OCIE concludes the Risk Alert by encouraging registered broker/dealers and investment advisers to review their practices, policies, and procedures with respect to the storage of electronic customer information and to consider whether any improvements are necessary. OCIE also encourages firms to actively oversee any vendors they may be using for network storage to determine whether the service provided by the vendor is sufficient to enable the firm to meet its regulatory responsibilities.