On May 23, 2019, the Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert regarding security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage.
OCIE staff noted that although most of these network storage solutions offer encryption, password protection and other security features designed to prevent unauthorized access, firms do not always use the available features. Weak or misconfigured security settings on a network storage device could result in unauthorized access to information.
The main concerns identified during examinations included concerns that may raise compliance issues under Regulations S-P and S-ID:
- Misconfigured network storage solutions: Inadequate configuration of security settings and/or no policies and procedures addressing security configuration.
- Inadequate oversight of vendor-provided network storage solutions: Firms did not ensure that vendor network storage solutions were configured according to firm standards.
- Insufficient data classification policies and procedures: Firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
The following effective practices were identified:
- Policies and procedures designed to support the initial installation, ongoing maintenance and regular review of the network storage solution;
- Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and
- Vendor management policies and procedures that include regular implementation of software patches and hardware updates, followed by reviews to ensure that those patches and updates did not unintentionally change, weaken or otherwise modify the security configuration.
For further information, read the full report.