Thursday, May 30, 2019

OCIE finds deficiencies in data-storage practices of brokers and advisers

By Anne Sherry, J.D.

The SEC’s Office of Compliance Inspections and Examinations issued a risk alert highlighting security risks identified in recent examinations of broker-dealers and investment advisers. OCIE examiners found that in storing electronic customer records and information in cloud-based and other network storage repositories, brokers and advisers did not always use the available security features. The risk alert provides several examples of effective practices.

The alert notes that the majority of network storage repositories offered encryption, password protection, and other security features, but these were not always utilized. These deficiencies could lead to violations of Regulations S-P (safeguards) and S-ID (identity theft red flags). Regulation S-P requires investment advisers and broker-dealers to have policies and procedures in place reasonably designed to protect customer information, while Regulation S-ID protects against identity theft and applies to investment advisers, broker-dealers, and investment companies.

Last September, the SEC for the first time brought charges for violations of Regulation S-ID. Voya Financial Advisers agreed to pay $1 million to settle the SEC's charges relating to weaknesses in their cybersecurity policies that resulted in the failure to detect and protect against a cyber intrusion that allowed access to the personal information of thousands of customers. The agency has also brought a number of enforcement actions for violations of Regulation S-P.

OCIE observed that some firms did not adequately configure the security settings on their network storage system to protect against unauthorized access and sometimes lacked policies and procedures addressing this security configuration. In some cases, firms did not ensure (for example, through policies and procedures or contractual provisions) that the security settings for vendor-provided storage were properly configured to the firms’ standards. And policies and procedures sometimes failed to identify the different types of electronically stored data and the appropriate controls for each data type.

The alert also gives several examples of effective practices noted in examinations. These include policies and procedures designed to support the installation, maintenance, and review of network storage systems; guidelines for security controls and baseline configuration standards; and vendor management policies and procedures. OCIE encourages brokers and advisers to review their practices, policies, and procedures and to actively oversee any third parties that provide network storage services with a view towards regulatory compliance.