In a Risk Alert, the SEC Office of Compliance Inspections and Examinations ("OCIE") urged broker-dealers and investment advisers to review their practices and policies governing the storage of electronic information, particularly as to customer information maintained in the cloud.
During examinations, the OCIE staff observed firms:
- that store electronic records using third-party services (e.g., cloud-based storage) failed to use the data protection tools that the service provider made available to them;
- were not sufficiently configuring the security settings to safeguard against unauthorized access;
- lacked adequate policies, procedures or contractual provisions to ensure that the security settings or vendor-provided network storage solutions were configured in alignment with the firm's policies; and
- had policies and procedures that failed to identify the types of data stored electronically by the firm and the appropriate controls for each type of data.
The OCIE staff noted that these failures raised serious issues under Regulations S-P and S-ID (Privacy of consumer financial information, safeguarding private information and identity theft red flags).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.