On May 23, 2019, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert regarding the storage of electronic customer records in network and cloud-based storage solutions. The Risk Alert signals OCIE’s continued focus on cybersecurity and data privacy policies and practices of investment advisers and broker-dealers.1

Compliance Concerns

The Risk Alert details a number of OCIE Staff concerns observed in recent examinations of registered firms relating to the electronic and cloud-based storage of customer records, including failures to:

  • adequately configure the security settings on the firm’s network storage solution to protect against unauthorized access and to implement policies and procedures addressing the security configuration of the network storage solution;
  • ensure (through policies, procedures, contractual provisions, or otherwise) that the security settings on vendor-provided network storage solutions are configured in accordance with the firm’s standards; and
  • properly identify the types of data stored electronically by the firm and the appropriate controls for each type of data.

Best Practices

The Risk Alert also sets forth examples of policies and practices that OCIE Staff has found to be effective in mitigating the risks associated with cloud-based and other network storage systems, including:

  • policies and procedures designed to support the initial installation, ongoing maintenance and regular review of the network storage solution;
  • guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and
  • vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates do not unintentionally change, weaken or otherwise modify the security configuration.

Key Considerations

As the SEC has demonstrated an ongoing focus on cybersecurity and data privacy compliance,2 investment advisers and broker-dealers should:

  • review their existing policies and procedures in light of the OCIE Staff observations set forth in the Risk Alert;
  • evaluate the adequacy of the resources, including personnel and funding, that have been allocated to develop and implement the appropriate policies, procedures and oversight recommended in the Risk Alert; and
  • review the appropriateness of the firm’s training programs to ensure that firm personnel properly use and manage network security solutions. 

Footnotes

1. The Safeguards Rule of Regulation S-P requires registered investment advisers and broker-dealers to adopt written policies and procedures designed to safeguard customer records and information. The Identity Theft Red Flags Rule of Regulation S-ID requires registered broker-dealers and certain investment advisers to implement an identity theft program to mitigate the risk of individual customers’ identity theft.

2. See In the Matter of Voya Financial Advisors Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048 (Sept. 26, 2018), available at https://www.sec.gov/litigation/admin/2018/34-84288.pdf; In the Matter of Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Investment Advisers Act Release No. 4415 (June 8, 2016), available at https://www.sec.gov/litigation/admin/2016/34-78021.pdf for SEC enforcement settlements including cybersecurity failures at registered firms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.