Not all broker-dealers and investment advisers are adequately addressing the various security risks in relation to their network storage solutions, which could result in unauthorized access to information stored on the device, according to a new SEC Risk Alert.
During recent examinations, staff from the SEC's Office of Compliance Inspections and Examinations (OCIE) identified security risks associated with the storage of electronic customer records and information by BDs and IAs in various network storage solutions – including those leveraging cloud-based storage. “Although the majority of these network storage solutions offered encryption, password protection, and other security features designed to prevent unauthorized access, examiners observed that firms did not always use the available security features,” the OCIE states in its alert. As a result, “weak or misconfigured security settings” could result in unauthorized access to information stored on the device, the OCIE warns.
The following concerns were identified by staff during examinations that may raise compliance issues under the Safeguards Rule of Regulations S-P concerning the protection of customer records and information, as well as the Identify Theft Red Flags Rule of Regulation S-ID.
- Misconfigured network storage solutions. In some cases, firms did not adequately configure the security settings on their network storage solution to protect against unauthorized access. Moreover, the OCIE notes that some firms did not have policies and procedures addressing the security configuration of their network storage solution. “Often, misconfigured settings resulted from a lack of effective oversight when the storage solution was initially implemented,” the alert states.
- Inadequate oversight of vendor-provided network storage solutions. Some firms were also found to have not ensured – through policies, procedures, contractual provisions or otherwise – that the security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards.
- Insufficient data classification policies and procedures. Here, the OCIE warns that firms’ policies and procedures in some cases did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
Best Practices Profiled
The Risk Alert further explains that during examinations OCIE staff has observed several features of effective configuration management programs, data classification procedures and vendor management programs, including:
- policies and procedures designed to support the initial installation, ongoing maintenance and regular review of the network storage solution;
- guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and
- vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken or otherwise modify the security configuration.
All in all, registered BDs and IAs are encouraged to review their practices, policies and procedures with respect to the storage of electronic customer information and to consider whether any improvements are necessary, the alert emphasizes. The OCIE also encourages firms to actively oversee any vendors they may be using for network storage to determine whether the service provided by the vendor is sufficient to enable the firm to meet its regulatory responsibilities.
The OCIE had previously announced that its 2019 exam priorities will include cybersecurity issues with an emphasis on proper configuration of network storage devices, information security governance and procedures related to retail trading information security.