The US usc (SEC) has issued an alert warning advisers on the potential security risks of storing information on cloud-based platforms as they do not all offer encryption or password protection.
The risk alert – which was issued on 23 May – said that the US Office of Compliance Inspections and Examinations (OCIE) had identified security risks “associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage”.
While “the majority of these network storage solutions offered encryption, password protection, and other security features designed to prevent unauthorized access, examiners observed that firms did not always use the available security features”, the alert continued, noting that “weak or misconfigured security settings on a network storage device could result in unauthorized access to information”.
In a summary, the OCIE said its staff had identified a number of specific concerns that could raise compliance issues under regulations governing information security and identity theft. The Safeguards Rule of Regulation S-P “requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information”.
Similarly, the Identity Theft Red Flags Rule of Regulation S-ID requires broker-dealers and investment advisers registered or required to be registered with the SEC to develop and implement a written identity theft prevention program designed to “detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account”.
The concerns identified in the alert include: misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures.
In some cases, the alert said, firms had not “adequately” configured the settings on their network storage solution of choice to “protect against unauthorized access” and some firms did not have “policies and procedures addressing the security configuration” of that “solution”.
Furthermore, some firms failed to ensure that the configuration of security settings on “vendor-provided network storage solutions were configured in accordance with the firm’s standards”, and in some cases, firms’ “policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data”, the alert said.
According to the OCIE, implementation of a “configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help to mitigate the risks incurred when implementing on-premise or cloud-based network storage solutions”.
OCIE staff observed “several features of effective configuration management programs, data classification procedures, and vendor management programs”, the alert said.
These included: policies and procedures to support installation, maintenance and review of the network storage solution; guidelines for security controls and “baseline security configuration standards”; and vendor management policies and procedures, including regular implementation of software patches and hardware updates.
The OCIE called for registered broker-dealers and investment advisers to “review their practices, policies, and procedures with respect to the storage of electronic customer information and to consider whether any improvements are necessary”. It also encouraged firms to “actively oversee any vendors they may be using for network storage to determine whether the service provided by the vendor is sufficient to enable the firm to meet its regulatory responsibilities”.