In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.
OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.
This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections.
Notably, two specific provisions of the SEC’s Rules, both cited by OCIE in its Risk Alert, create obligations on the part of advisers and brokers to establish procedures for protecting customer records. The Safeguards Rule of Regulation S-P requires the adoption of written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Additionally, the Identity Theft Red Flags Rule of Regulation S-ID requires the development and implementation of a written identity theft prevention program designed to detect, prevent, and mitigate identity theft.
In this light, OCIE observed—as part of its regular examination process—a number of problematic practices potentially implicating violations of Regulations S-P and S-ID. These observations as detailed in the Risk Alert include:
- Misconfigured network storage solutions, as exemplified by firms that did not adequately configure (or even have policies and procedures addressing such configuration) the security settings on their network storage solution to protect against unauthorized access.
- Inadequate oversight of vendor-provided network storage solutions, whereby firms failed to ensure (through policies and procedures, or contractual provisions) that the security settings on vendor-provided network storage solutions were properly configured.
- Insufficient data classification policies and procedures, as evidenced by policies and procedures that did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
On the other hand, OCIE also observed what it termed “effective configuration management programs, data classification procedures, and vendor management programs,” such as:
- Policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution.
- Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly.
- Vendor management policies and procedures that include regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.
Our take on this Risk Alert is that—as with any Risk Alert—advisers and brokers are well-served to digest its contents and undertake a self-examination of the firm’s policies and procedures in light of the concerns raised and best practices proposed. As noted above, Risk Alerts can be a very useful tool in enabling registrants to effectively prepare for the inevitable OCIE exam. Indeed, in that regard, we note that the last two Risk Alerts have involved issues implicating Regulation S-P. Moreover, we further note that three of the last four Risk Alerts have involved electronic storage issues of one form or another—i.e., electronic customer records as well as storage issues related to firm use of electronic communications. Advisers and brokers should take note and prepare accordingly.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.