Risk Alert: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features

On May 23, 2019 the SEC issued a risk alert on safeguarding of customer information stored on cloud and other network storage solutions.  The Risk Alert identifies security risks and best practices associated with the storage of customer records and information by investment advisers and broker-dealers (collectively, firms) in the cloud and on other electronic network storage solutions (collectively, network storage solutions).  According to the Risk Alert, the OCIE Staff observed during recent examinations that, although most network storage solutions (e.g., cloud-based storage) offer security features that are designed to prevent access by unauthorized persons (including password protection, encryption and other features), some firms did not always use the offered security features. The Staff further noted that weak or misconfigured security settings on a network storage device could lead to unauthorized access to information stored on the device. Such unauthorized access may involve access to customer records and information, which could lead to compliance issues under Regulation S-P (Reg. S-P) and Regulation S-ID (Red Flags Rule).  The Risk Alert highlights the following as concerns that may raise compliance issues under Reg. S-P and the Red Flags Rule: (1) Misconfigured network storage solutions. The Staff observed that some firms did not adequately configure security settings for network storage solutions. The staff noted that in some instances, the storage settings were misconfigured due to a failure to oversee those settings at the time the network storage solution was first implemented. The Staff further observed that some firms’ policies and procedures did not address the configuration of these security settings. (2) Inadequate oversight of vendor-provided storage solutions. The Staff observed that some firms failed to ensure (through policies and procedures, contractual obligations or otherwise) that the security settings of network storage solutions provided by vendors were configured in a manner that complied with the firms’ internal standards. (3) Insufficient data classification policies and procedures. The Staff observed that the types of data stored electronically and appropriate controls for each type of data were not addressed in some firms’ policies and procedures. Effective Practices Identified by OCIE Staff: The Staff explained that firms can mitigate the risks associated with storing customer records and information on a network storage solution by implementing configuration management programs, which should include security features as well as policies and procedures that govern data classification and vendor oversight. According to the Staff, the following are features of effective configuration management program, data classification procedures, and vendor management programs: (1) Policies and procedures that address the initial installation, continuing maintenance and regular review of a firm’s network storage solutions. (2) Guidelines regarding the security controls for network storage solutions and “baseline” security configuration standards. (3) “Vendor management” policies and procedures that address the regular implementation of software patches and hardware updates, as well as subsequent reviews to ensure that such updates do not “unintentionally change, weaken, or otherwise modify the security configuration.” Recommendations: Firms should consider whether their practices are in line with the effective practices (and avoid the pitfalls) the Staff cited in the Risk Alert, and enhance practices as needed. Firms should periodically review configurations to assure that they are reasonably designed to meet business and security needs as well as regulatory requirements. Notably, the Risk Alert also illustrates that it is important for firms to take an active role with respect to vendor oversight, particularly when engaging vendors that provide network storage solutions to the firm.  Conclusion :The Risk Alert takes a nuanced look at how firms are addressing information security as it relates to the storage of customer records and information on network storage solutions. Firms may decide to review their policies and procedures with respect to the storage of customer records and information to determine whether enhancements are needed to address the concerns discussed in the Risk Alert. Firms also should include review of network storage solutions as part of their regular compliance and information security reviews.