The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently noted that ineffective practices, policies, and procedures governing the use of third party cloud-based storage platforms could result in compliance issues under Regulations S-P (Safeguards Rule) and S-ID (Identity Theft Red Flag Rule). As a result, OCIE has issued a Risk Alert advising broker-dealers and investment advisors to implement and oversee security programs ensuring the protection of customer records and personally identifiable information stored on third-party cloud-based networks.
Specifically, OCIE recognized three major risk factors associated with cloud-based storage:
- Failure to enact sufficiently configured security settings on their network storage solutions that protect against unauthorized access
- Failure to adequately supervise vendor procedures to confirm that third-party vendors’ security settings align with the firms’ internal policies and settings
- Failure to put in place proper procedures governing data classification to ensure that proper controls are applied to each data type
OCIE urges broker-dealers and investment advisors to take active steps to execute effective configuration management programs, data classification procedures, and vendor management programs to protect customer information and ensure the above risks are avoided. Such steps may include, but are not limited to, the following: conducting on-going maintenance and periodic review of the network storage solution; setting guidelines and standards for security controls and configurations; establishing vendor management oversight to vet vendor-provided network storage solutions; and creating vendor management procedures such as implementing software and hardware updates followed by post-implementation assessments identifying any accidental changes to the security configuration. Broker-dealers and investment advisors should evaluate (and periodically continue to evaluate) their network storage security settings to avoid any and all cyber-enabled threats associated with cloud-based storage.