On May 23, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert regarding the security of cloud and network data storage solutions. The alert notes risks associated with the storage of customer records and personally identifiable information (PII) by broker-dealers and investment advisers at third-party cloud storage solutions and in network data storage solutions in general.
The Risk Alert states the following concerns with the security of cloud and network data storage solutions:
- Misconfigured security settings – While many cloud and network storage solutions have security settings, these settings may not be properly utilized or configured to minimize the risk of unauthorized access. This is often the result of lack of oversight upon initial implementation, or lack of specific policies and procedures related to safe network data storage.
- Lack of vendor security oversight – Firms may not adequately vet their vendors who provide network storage solutions, or who provide other services, in terms of data security. Policies, procedures, and contractual provisions are often not spelled out to ensure adherence to the firm’s security standards.
- Inadequate data classification – Firms have been found to lack insufficent policies and procedures regarding data classification and appropriate controls for each data type which is leading to heightened security concerns.
The OCIE Risk Alert warns that broker-dealers and investment advisers who do not adequately address these security concerns are at risk of being cited for violation of SEC rules. Specific related compliance issues include Regulation S-P (the Safeguards Rule) requiring adoption of written policies and procedures toward safeguarding customer records and information, as well as Regulation S-ID (the Identity Theft Red Flag Rule), requiring development and implementation of an identity theft prevention program.
OCIE recommends that broker-dealers and investment advisers take active steps to address these concerns. Recommendations include devising and updating configuration management programming to include policies and procedures for data classification, vendor oversight, and security feature implementation. This programming should cover installation, maintenance, and regular review of cloud and in-house network storage solutions. Additionally, vendor oversight is encouraged and should include patching programs and implementation of other data security elements.
ACA Aponix Guidance
ACA Aponix recommends taking the following actions regarding the OCIE data storage Risk Alert:
- Review and update your firm's existing configuration management policies and procedures to ensure appropriate coverage of data security items, including data classification, data security, and data storage.
- Validate and enhance existing security controls with your firm's cloud and network storage solutions, ensuring that configuration is aligned with your firm’s policies and procedures. Do not rely on default or assumed configurations.
- Review security policies and standards at third-party vendors to ensure appropriate adherence to your firm's security policies and procedures.
How ACA Aponix Can Help
ACA Aponix offers the following solutions that can help your firm meet SEC regulatory requirements related to cybersecurity:
- Policies, procedures. and governance
- Mock SEC cyber exams
- Microsoft® Office 365® security assessments
- Cybersecurity and technology risk assessments
- Vendor diligence and management
- Cyber incident response planning
- Penetration testing and vulnerability assessments
- Threat intelligence
ACA Aponix Regulatory Cyber Resources
The following ACA resources are available to help your firm prepare for an SEC examination:
- Alert: SEC Conducting Cyber Compliance Examination Sweep of Registered Investment Advisers (RIAs)
- Alert: SEC Updates Document Request List for Cybersecurity Examinations
- Blog: Preparing for SEC Cyber Compliance – What You Need to Know
- Webcast: SEC Examination Priorities and Focus Areas for 2019
- Alert: SEC Announces 2019 Examination Priorities
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.