The Securities and Exchange Commission’s May 2019 Risk Alert that identified security risks associated with the electronic storage of customer records and information specifically called out the use of third party cloud-based storage systems.
You might wonder why your firm would be responsible for the security of a third-party system, but today’s technology security requirements go beyond the coding, architecture, and intellectual property of a particular system. As this SEC Risk Alert offers valuable insights that impact your technology, it’s important to evaluate some of the issues it raised.
Many advisors may remember the days where they truly “owned” the security infrastructure for their firm. They didn’t have the option to use a cloud-based storage system. The electronic storage of customer records was likely on a server located in their office.
Hopefully they understood the critical security aspects for this device and therefore limited who could access it. The beginnings of the classic “administrator” versus “user” permission rights. And the administrator was responsible for maintaining the server, which of course included its own security.
Here Come the Clouds
Cloud-based systems changed the areas of attention and focus, but security responsibilities weren’t necessarily reduced. You are no longer directly responsible for certain areas — like physical security of the device or redundancy and back-up processes — which are “foundational requirements” for the cloud-based company that you select.
However, you still control the keys to the kingdom, which accounts for a large part of the SEC’s Risk Alert. You would never give all your employees direct access to the server in your office, but have you done it (inadvertently) with your cloud-based storage systems?
Your firm is utilizing all the security features available with the cloud-based system, including features like user ID and password standards, 2-step verification, internet protocol address tracking, etc. Furthermore, cloud-based companies are regularly improving their security parameters and recommendations … or at least they should be.