SEC Issues Warning on Cloud-Based Storage Solutions

The Securities and Exchange Commission is warning of security risks the agency has found in advisor and broker-dealer exams associated with the storage of electronic customer records, including those leveraging cloud-based storage.

The May 23 Risk Alert comes as the agency’s Office of Compliance Inspections and Examinations started an exam sweep this week of how RIAs are identifying and monitoring risks to ensure systems, data and nonpublic client information are secured at third parties and the cloud service providers that RIAs use.

During recent exams, OCIE identified security risks associated with the storage of electronic customer records and information by broker-dealers and RIAs in various network storage solutions.

“Although the majority of these network storage solutions offered encryption, password protection, and other security features designed to prevent unauthorized access, examiners observed that firms did not always use the available security features,” the Risk Alert states.

“Weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device.”

OCIE staff identified the following concerns that may raise compliance issues under Regulations S-P and S-ID.

• Misconfigured network storage solutions. Some firms did not adequately configure the security settings on their network storage solution to protect against unauthorized access. In addition, some firms did not have policies and procedures addressing the security configuration of their network storage solution.
• Inadequate oversight of vendor-provided network storage solutions. Some firms did not ensure, through policies, procedures, contractual provisions or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards.
• Insufficient data classification policies and procedures. Some firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.

As to the recent exam sweep letter sent to RIAs regarding their cyber due diligence, Askari Foy, managing director of ACA Aponix, a global regulatory cybersecurity firm, told ThinkAdvisor in an email message that “when considering these recent requests for information, it is becoming increasingly evident that the SEC is intent on understanding vendor risk cybersecurity concerns for RIAs — particularly when it comes to cloud service providers.”

The SEC, Foy said, “is placing a strong focus on personally identifiable information of both employees and investors, and the material nonpublic information that RIAs manage and share with third-party vendors. ACA has observed through our work with RIA clients the maturation of cyber programs, but there’s still much work to be done across the sector.”

Foy stated that “there is a wide range of data that RIAs share with vendors, though the exposure that each RIA has with its cloud service provider varies. The SEC wants evidence that RIAs are doing all that they can to identify, monitor and mitigate the risk associated with vendors that custody data or access data networks.”

— Check out SEC Fires Off Warning on Privacy Regulation on ThinkAdvisor.