RIA Compliance and Practice Management Blog

SEC Cybersecurity Risk Alert Flags Network Storage Issues

Posted by RIA in a Box

May 30, 2019 10:50:48 AM

SEC network storage cybersecurity risk alertOn May 23, 2019, the Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") released a new risk alert noting that during recent audits, OCIE staff have "identified security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage." In particular, OCIE staff has observed that many firms are not making use of available security features offered by network storage providers. As such, the risk alert highlights, "weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device."

Schedule a Demo of the MyRIACompliance Cybersecurity Platform

Issues with On-Premise and Cloud-Based Network Storage Solutions

SEC OCIE staff identified the following issues that may raise compliance issues for registered investment adviser ("RIA") firms under Regulations S-P (the "Safeguard Rule") and S-ID (the "Identify Theft Red Flags Rule"):

  1. Misconfigured network storage solutions: In particular, OCIE staff noted that "often, misconfigured settings resulted from a lack of effective oversight when the storage solution was initially implemented." We recommend that RIA firms which lack the internal resources and expertise to properly install on-premise network storage solutions utilize a third party resource to assist with the initial installation and ongoing monitoring and maintenance. 
  2. Inadequate oversight of vendor-provided network storage solutions: Many modern cloud-based storage solutions offer a plethora of cutting-edge security features. However, as the risk alert highlights, firms need to ensure that these features are properly implemented. When available, RIA firms should be sure to utilize security features such as encryption and two-factor authentication in order to better protect sensitive data.
  3. Insufficient data classification policies and procedures: In order to properly protect sensitive data stored electronically, advisory firms first need to take a step back and properly identify the different types of data stored and the "appropriate controls for each type of data."

As has been seen in past guidance, the OCIE staff is understandably not taking a stance on whether RIA firms should store sensitive data onsite with an on-premise server or utilize a 3rd party cloud-based solution. Rather, whether storing sensitive client information onsite or in the cloud, firms need to ensure they are taking the proper information security precautions. 

Examples of Effective Network Storage Cybersecurity Practices

The risk alert highlights "the implementation of a configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help to mitigate the risks incurred when implementing on-premise or cloud-based network storage solutions." OCIE staff recommends the following best practices:

  • Policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution;
  • Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and
  • Vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.

The vendor management policies and procedures highlighted above in relation to software patches and hardware updates are particularly interesting as this is fairly prescriptive guidance being provided. As such, RIA firms should consider incorporating a review of software patch and hardware update procedures when performing third party vendor due diligence. In addition, advisory firms should closely monitor whether any software patches or hardware updates implemented for their own technology systems unknowingly impact the security settings of on-premise or cloud-based network storage solutions.

This latest risk alert continues to highlight the SEC's continued focus on cybersecurity-related compliance issues for investment advisers and follows a recent Reg S-P risk alert which also cited a number of common cybersecurity-related issues. Furthermore, in recent cybersecurity-related investment adviser SEC enforcement actions, violation of the Safeguard Rule has been specifically cited. As such, we highly recommend that the Chief Compliance Officer ("CCO") and all advisory firm principals carefully review this latest SEC RIA compliance risk alert. Failure to address the network storage issues and to establish and implement the highlighted policies and procedures could lead to serious regulatory compliance issues.

Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.

Download Our Free RIA Wire Fraud Prevention Checklist 


Topics: RIA Operations, RIA Compliance

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts