The staff (the “Staff”) of the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert regarding security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers (collectively, “firms”) using various network storage solutions, including cloud-based storage. During examinations, the Staff identified the following concerns that may raise compliance issues under Regulations S-P and S-ID, which require firms to adopt policies and procedures designed to protect customer information and data:
Misconfigured network storage solutions.
Firms failed to adequately configure the security settings on their network storage solution to protect against unauthorized access or develop policies and procedures addressing the security configuration of their network storage solution.
Inadequate oversight of vendor-provided network storage solutions.
Firms failed to ensure, through policies, procedures, contractual provisions, or otherwise, that security settings on network storage solutions offered by third-party vendors were configured to the firms’ standards.
Insufficient data classification policies and procedures.
Firms’ policies and procedures failed to identify the different types of electronic data stored and the appropriate controls for different types of data.
Configuration management program.
The Staff stated that the implementation of a configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help address the risks presented by network storage solutions. Features of effective configuration management programs observed by the Staff include:
- Policies and procedures designed to support the installation, maintenance and review of network storage solutions.
- Guidelines for security controls and baseline security configuration standards to ensure proper configuration of each network solution.
- Vendor management policies and procedures governing regular implementation of software patches and hardware updates followed by subsequent security configuration reviews.
S&K Observations
In light of the concerns regarding the security of network storage solutions identified by the Staff, firms should review the adequacy and effectiveness of their practices, policies and procedures with respect to the storage of electronic customer information and oversight of vendors providing network storage solutions.