On May 23, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (Risk Alert) regarding the safeguarding of customer information stored on cloud and other network storage solutions.
During recent examinations, the OCIE staff observed that several firms were not adequately using the security features offered by their network storage solutions. The OCIE is concerned that this may lead to instances where unauthorized persons may gain access to customer records and information, leading to compliance issues under Regulation S-P and Regulation S-D. The Risk Alert generally suggests that firms should (1) include a review of network storage solutions as part of their regular compliance and information security reviews, and (2) actively oversee the vendors they use for network storage to determine whether the service provided by the vendor is sufficient to enable them to meet their regulatory responsibilities.
Several practices were flagged as potential sources of compliance issues. First, the staff noticed that storage settings were misconfigured due to a failure to oversee settings at the time the network storage solution was first implemented. Second, some firms failed to ensure that the security settings of network storage solutions provided by vendors were configured in a manner that complied with their own internal standards. Lastly, the staff observed that firms’ policies and procedures did not sufficiently classify the types of data stored electronically, and thus, firms lacked appropriate controls for each type of data.
The OCIE recommended a number of measures that can mitigate the risks associated with storing customer records and information on network storage solutions, therefore leading to an “effective configuration management program, data classification procedures and vendor management programs.” Firms should consider adopting policies and procedures that address the initial installation, continuing maintenance and regular review of network storage solutions. Additionally, firms may establish guidelines regarding the security controls for network storage solutions and “baseline” security configuration standards. Finally, they can adopt “vendor management” policies and procedures that address the regular implementation of software patches and hardware updates, as well as subsequent reviews to ensure that such updates do not “unintentionally change, weaken or otherwise modify the security configuration.”
It is worth noting that the release does not mention whether the use of network storage solutions is consistent with the requirements for maintaining records under the Advisers Act of 1940 or the Securities Exchange Act 1934. This is indicative of the SEC’s acquiescence towards the use of network storage solutions.
Click here to read the SEC’s Risk Alert.