On May 23, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the US Securities and Exchange Commission published a Risk Alert entitled “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features,” which addresses risks associated with the storage – including cloud-based storage – of electronic customer records by investment advisors and broker-dealers.
In particular, OCIE found in recent examinations that some firms (i) were not properly configuring and using available security features, including encryption and password protection, to protect stored data; (ii) had inadequate oversight of vendor-provided network storage solutions, and (iii) had insufficient data classification policies and procedures. The Risk Alert noted that these could raise compliance issues under Reg S-P (17 CFR 248.30(a)) and Reg S-ID (17 CFR 248.201).
- The Risk Alert also identified steps that investment advisers and broker-dealers could take to mitigate the risk. In particular:
- policies and procedures designed to support the installation, maintenance and regular review of network storage solutions;
- guidelines that ensure proper, secure configuration of network solutions; and
- vendor management policies that include regular hardware updates, software patches, and analysis of security implications of the updates.
Finally, since cloud-based and other storage solutions may depend on infrastructure owned and operated by a third-party vendor, the Risk Alert encourages firms to engage in active oversight of these service providers to ensure compliance with all regulatory responsibilities.