OCIE Publishes Risk Alert on Safeguarding of Customer Information Stored on Network Storage Solutions

OCIE Publishes Risk Alert on Safeguarding of Customer Information Stored on Network Storage Solutions

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

On May 23, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (Risk Alert) regarding the safeguarding of customer information stored on cloud and other network storage solutions.

During recent examinations, the OCIE staff observed that several firms were not adequately using the security features offered by their network storage solutions. The OCIE is concerned that this may lead to instances where unauthorized persons may gain access to customer records and information, leading to compliance issues under Regulation S-P and Regulation S-D. The Risk Alert generally suggests that firms should (1) include a review of network storage solutions as part of their regular compliance and information security reviews, and (2) actively oversee the vendors they use for network storage to determine whether the service provided by the vendor is sufficient to enable them to meet their regulatory responsibilities.

Several practices were flagged as potential sources of compliance issues. First, the staff noticed that storage settings were misconfigured due to a failure to oversee settings at the time the network storage solution was first implemented. Second, some firms failed to ensure that the security settings of network storage solutions provided by vendors were configured in a manner that complied with their own internal standards. Lastly, the staff observed that firms’ policies and procedures did not sufficiently classify the types of data stored electronically, and thus, firms lacked appropriate controls for each type of data.

The OCIE recommended a number of measures that can mitigate the risks associated with storing customer records and information on network storage solutions, therefore leading to an “effective configuration management program, data classification procedures and vendor management programs.” Firms should consider adopting policies and procedures that address the initial installation, continuing maintenance and regular review of network storage solutions. Additionally, firms may establish guidelines regarding the security controls for network storage solutions and “baseline” security configuration standards. Finally, they can adopt “vendor management” policies and procedures that address the regular implementation of software patches and hardware updates, as well as subsequent reviews to ensure that such updates do not “unintentionally change, weaken or otherwise modify the security configuration.”

It is worth noting that the release does not mention whether the use of network storage solutions is consistent with the requirements for maintaining records under the Advisers Act of 1940 or the Securities Exchange Act 1934. This is indicative of the SEC’s acquiescence towards the use of network storage solutions.

Click here to read the SEC’s Risk Alert.

Related Posts

Darren Mooney

Partner and Co-Head of Business Development

Darren Mooney is a Partner and the Co-Head of Business Development at Greyline. Before joining Greyline, Darren served as deputy chief compliance officer of Partner Fund Management where he held primary responsibility for the compliance program of the second-largest hedge fund in the Bay Area. Prior to that, Darren spent five years providing compliance consulting services at Cordium and then ACA Compliance Group, where he led the company’s San Francisco office and west coast operations. In addition to providing ongoing consulting services to a variety of investment managers, including hedge fund, private equity, venture capital, real estate, quantitative and other wealth managers, Darren also regularly guided clients through the SEC registration process, implemented tailored compliance programs, supported clients’ live SEC exams, and served as an SEC-mandated independent compliance consultant following an SEC enforcement action. Darren’s other experience includes serving as deputy chief compliance officer and associate counsel at F-Squared Investments where he directly supported the compliance program during the investigation and subsequent enforcement regarding historical advertising practices. Darren has a B.S. in Economics from the University of Delaware and a J.D. from Suffolk University Law School. He is a member of the Massachusetts bar.

Annie Kong

Partner and Head of Venture Capital
Annie Kong is a Partner and Head of the Venture Capital Division at Greyline. She provides ongoing compliance consulting to investment advisers and manages client relationships. Prior to joining Greyline, Annie was part of compliance and operations at a long-only manager-of-managers that advised pension fund clients. While there, she conducted compliance and operational due diligence on SEC-registered investment advisers on the platform. She also oversaw and counseled on various legal matters across the firm. Annie has a B.A. in Economics from the University of California, San Diego, and a J.D. from the University of San Diego School of Law. She is an active member of the State Bar of California.
Greyline is pleased to announce that we are the recipient of the 2021 HFM U.S. Service Award in the Best Technology Firm – Newcomer category.