OCIE Risk Alert Focuses on Oversight of Cloud-Based Vendors

The SEC’s Office of Compliance Inspections and Examinations issued a risk alert based on several identified security risks associated with the storage of electronic customer data by broker-dealers and investment advisers in the cloud and on other types of network storage solutions. OCIE said its examiners observed: misconfigured security settings of firms’ network storage solutions; failures to utilize security features designed to prevent unauthorized access, such as encryption and password protection in network storage solutions; and overall inadequate oversight of vendor-provided network storage solutions. “In some cases, firms did not ensure, through policies, procedures, contractual provisions, or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards.” OCIE recommended that firms actively oversee any vendors they may be using for network storage to determine whether the service provided by the vendor measures up to the firm’s regulatory obligations and also suggested effective practices to mitigate risk, including implementing “a configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features.” OCIE encouraged firms to review their practices, policies, and procedures with respect to the storage of electronic customer information and to consider whether any improvements are necessary.