The Securities and Exchange Commission’s May 2019 Risk Alert that identified security risks associated with the electronic storage of customer records and information specifically called out the use of third party cloud-based storage systems.
You might wonder why your firm would be responsible for the security of a third-party system, but today’s technology security requirements go beyond the coding, architecture, and intellectual property of a particular system. As this SEC Risk Alert offers valuable insights that impact your technology, it’s important to evaluate some of the issues it raised.
Many advisors may remember the days where they truly “owned” the security infrastructure for their firm. They didn’t have the option to use a cloud-based storage system. The electronic storage of customer records was likely on a server located in their office.
Hopefully they understood the critical security aspects for this device and therefore limited who could access it. The beginnings of the classic “administrator” versus “user” permission rights. And the administrator was responsible for maintaining the server, which of course included its own security.
Here Come the Clouds
Cloud-based systems changed the areas of attention and focus, but security responsibilities weren’t necessarily reduced. You are no longer directly responsible for certain areas — like physical security of the device or redundancy and back-up processes — which are “foundational requirements” for the cloud-based company that you select.
However, you still control the keys to the kingdom, which accounts for a large part of the SEC’s Risk Alert. You would never give all your employees direct access to the server in your office, but have you done it (inadvertently) with your cloud-based storage systems?
Your firm is utilizing all the security features available with the cloud-based system, including features like user ID and password standards, 2-step verification, internet protocol address tracking, etc. Furthermore, cloud-based companies are regularly improving their security parameters and recommendations … or at least they should be.
Is your firm regularly adopting these new security options and best practices? The last thing you want is for a regulator to inform you in a deficiency letter about the availability of one of these items. This type of situation was directly mentioned in the SEC’s Risk Alert. Just like staying on top of regular operating system and software updates, you need to have a similar focus for your cloud-based storage systems.
Our profession certainly has benefited from the technology efforts focused on improved data interfaces and integrations across multiple cloud-based systems. Of course, there also are risks that need to be mitigated in this “data sharing” environment.
As was covered in the SEC Risk Alert, do you know the “what, where and how” of the data stored on each of these systems? Ideally, you should have a systems diagram that clearly answers these questions. For example, you should document the data stored in your financial planning application. This might include client account data, tax details, documents, and non-direct client information (beneficiaries).
Your systems diagram will have to be a fluid document as these products release new features and integrations are enhanced. Ultimately, you want to demonstrate that you know the details for all aspects of your data storage, whether on your firm-owned resources or with a cloud-based system.
The SEC Risk Alert also discussed the importance of regular oversight and management of your vendor relationships (e.g. cloud-based systems). This begins with the research and evaluation that you conducted for selecting the vendor, and then, how you incorporated the vendor’s role in your policies and procedures once you began to use their services.
This effort needs to continue as you regularly review the vendor relationship ensuring that expectations and standards are being met. The vendor also should be making regular technology updates and changes, and it is critical that your firm is involved in implementing the updates in your environment. This is especially true for any changes that might require updates to your firm’s procedures.
Dan Skiles is the president of Shareholders Service Group in San Diego. He can be reached at firstname.lastname@example.org.