On May 23, 2019, the Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") released a new risk alert noting that during recent audits, OCIE staff have "identified security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage." In particular, OCIE staff has observed that many firms are not making use of available security features offered by network storage providers. As such, the risk alert highlights, "weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device."
Issues with On-Premise and Cloud-Based Network Storage Solutions
SEC OCIE staff identified the following issues that may raise compliance issues for registered investment adviser ("RIA") firms under Regulations S-P (the "Safeguard Rule") and S-ID (the "Identify Theft Red Flags Rule"):
- Misconfigured network storage solutions: In particular, OCIE staff noted that "often, misconfigured settings resulted from a lack of effective oversight when the storage solution was initially implemented." We recommend that RIA firms which lack the internal resources and expertise to properly install on-premise network storage solutions utilize a third party resource to assist with the initial installation and ongoing monitoring and maintenance.
- Inadequate oversight of vendor-provided network storage solutions: Many modern cloud-based storage solutions offer a plethora of cutting-edge security features. However, as the risk alert highlights, firms need to ensure that these features are properly implemented. When available, RIA firms should be sure to utilize security features such as encryption and two-factor authentication in order to better protect sensitive data.
- Insufficient data classification policies and procedures: In order to properly protect sensitive data stored electronically, advisory firms first need to take a step back and properly identify the different types of data stored and the "appropriate controls for each type of data."
As has been seen in past guidance, the OCIE staff is understandably not taking a stance on whether RIA firms should store sensitive data onsite with an on-premise server or utilize a 3rd party cloud-based solution. Rather, whether storing sensitive client information onsite or in the cloud, firms need to ensure they are taking the proper information security precautions.
Examples of Effective Network Storage Cybersecurity Practices
The risk alert highlights "the implementation of a configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help to mitigate the risks incurred when implementing on-premise or cloud-based network storage solutions." OCIE staff recommends the following best practices:
- Policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution;
- Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and
- Vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.
The vendor management policies and procedures highlighted above in relation to software patches and hardware updates are particularly interesting as this is fairly prescriptive guidance being provided. As such, RIA firms should consider incorporating a review of software patch and hardware update procedures when performing third party vendor due diligence. In addition, advisory firms should closely monitor whether any software patches or hardware updates implemented for their own technology systems unknowingly impact the security settings of on-premise or cloud-based network storage solutions.
This latest risk alert continues to highlight the SEC's continued focus on cybersecurity-related compliance issues for investment advisers and follows a recent Reg S-P risk alert which also cited a number of common cybersecurity-related issues. Furthermore, in recent cybersecurity-related investment adviser SEC enforcement actions, violation of the Safeguard Rule has been specifically cited. As such, we highly recommend that the Chief Compliance Officer ("CCO") and all advisory firm principals carefully review this latest SEC RIA compliance risk alert. Failure to address the network storage issues and to establish and implement the highlighted policies and procedures could lead to serious regulatory compliance issues.
Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.