OCIE Publishes Risk Alert regarding Safeguarding of Customer Information Stored on Cloud and Other Network Storage Solutions

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a National Exam Program Risk Alert on May 23, 2019, which identifies security risks and best practices associated with the storage of customer records and information by investment advisers and broker-dealers (collectively, firms) in the cloud and on other electronic network storage solutions (collectively, network storage solutions).

According to the Risk Alert, the OCIE staff (Staff) observed during recent examinations that, although most network storage solutions (e.g., cloud-based storage) offer security features that are designed to prevent access by unauthorized persons (including password protection, encryption and other features), some firms did not always use the offered security features. The Staff further noted that “weak or misconfigured security settings on a network storage device could lead to unauthorized access to information stored on the device.” Such unauthorized access may involve access to customer records and information, which could lead to compliance issues under Regulation S-P (Reg. S-P) and Regulation S-ID (Red Flags Rule).1

The Risk Alert does not discuss whether a firm’s use of network storage solutions would be consistent with the time, place and manner requirements for maintaining records pursuant to Rule 204-2 under the Investment Advisers Act of 1940 or the electronic record storage requirements of Rule 17a-4 under the Securities Exchange Act of 1934. The Staff‘s silence on the requirements of these rules suggests, at a minimum, acquiescence to the use of network storage solutions by regulated firms.

Issues Observed by OCIE Staff

The Risk Alert highlights the following as “concerns that may raise compliance issues under” Reg. S-P and the Red Flags Rule: 

• Misconfigured network storage solutions. The Staff observed that some firms did not adequately configure security settings for network storage solutions. The staff noted that in some instances, the storage settings were misconfigured due to a failure to oversee those settings at the time the network storage solution was first implemented. The Staff further observed that some firms’ policies and procedures did not address the configuration of these security settings.  

• Inadequate oversight of vendor-provided storage solutions. The Staff observed that some firms failed to ensure (through policies and procedures, contractual obligations or otherwise) that the security settings of network storage solutions provided by vendors were configured in a manner that complied with the firms’ internal standards.  

• Insufficient data classification policies and procedures. The Staff observed that the types of data stored electronically and appropriate controls for each type of data were not addressed in some firms’ policies and procedures. 

Effective Practices Identified by OCIE Staff

The Staff explained that firms can mitigate the risks associated with storing customer records and information on a network storage solution by implementing configuration management programs, which should include security features as well as policies and procedures that govern data classification and vendor oversight. According to the Staff, the following are features of “effective configuration management program, data classification procedures, and vendor management programs”: 

• Policies and procedures that address the initial installation, continuing maintenance and regular review of a firm’s network storage solutions.  

• Guidelines regarding the security controls for network storage solutions and “baseline” security configuration standards.  

• “Vendor management” policies and procedures that address the regular implementation of software patches and hardware updates, as well as subsequent reviews to ensure that such updates do not “unintentionally change, weaken, or otherwise modify the security configuration.” 

Recommendations

Firms should consider whether their practices are in line with the effective practices (and avoid the pitfalls) the Staff cited in the Risk Alert, and enhance practices as needed. Firms should periodically review configurations to assure that they are reasonably designed to meet business and security needs as well as regulatory requirements. Notably, the Risk Alert also illustrates that it is important for firms to take an active role with respect to vendor oversight, particularly when engaging vendors that provide network storage solutions to the firm.

Although not discussed in the Risk Alert, broker-dealers also will want to consult the Financial Industry Regulatory Authority’s Notice to Members 05-48 (regarding policies and procedures when outsourcing activities or functions to third-party vendors) and Regulatory Notice 11-48 (discussing proposed Rule 3190, which would clarify FINRA members’ responsibilities with respect to outsourcing).

Conclusion

The Risk Alert takes a nuanced look at how firms are addressing information security as it relates to the storage of customer records and information on network storage solutions. Firms may decide to review their policies and procedures with respect to the storage of customer records and information to determine whether enhancements are needed to address the concerns discussed in the Risk Alert. Firms also should include review of network storage solutions as part of their regular compliance and information security reviews.

Footnotes

_{1) The Safeguards Rule of Reg. S-P requires registered broker-dealers and investment advisers to have in place written policies and procedures that are reasonably designed to safeguard customer records and information. The Red Flags Rule requires registered broker-dealers and investment advisers that offer or maintain “covered accounts” to establish programs to “detect, prevent, and mitigate” the risk of identity theft. A “covered account” includes an account that a broker-dealer or investment adviser “offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.”}