May 23, 2019

New OCIE Risk Alert focuses on secure network storage of consumer data

On May 23, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the US Securities and Exchange Commission published a Risk Alert entitled “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features,” which addresses risks associated with the storage – including cloud-based storage – of electronic customer records by investment advisors and broker-dealers.  

In particular, OCIE found in recent examinations that some firms (i) were not properly configuring and using available security features, including encryption and password protection, to protect stored data; (ii) had inadequate oversight of vendor-provided network storage solutions, and (iii) had insufficient data classification policies and procedures.  The Risk Alert noted that these could raise compliance issues under Reg S-P (17 CFR 248.30(a)) and Reg S-ID (17 CFR 248.201).  

  • The Risk Alert also identified steps that investment advisers and broker-dealers could take to mitigate the risk.  In particular:
  • policies and procedures designed to support the installation, maintenance and regular review of network storage solutions; 
  • guidelines that ensure proper, secure configuration of network solutions; and
  • vendor management policies that include regular hardware updates, software patches, and analysis of security implications of the updates.

Finally, since cloud-based and other storage solutions may depend on infrastructure owned and operated by a third-party vendor, the Risk Alert encourages firms to engage in active oversight of these service providers to ensure compliance with all regulatory responsibilities.

SEC announcement | OCIE Risk Alert