Just because a firm has the ability to password-protect, encrypt or implement other security features to protect its data, doesn’t mean the firm is actually taking those steps. That’s the observation being shared by the SEC in its most recent risk alert, which covers safeguarding customer records and information in network storage.
Recently, the Office of Compliance Inspections and Examinations (OCIE) has encountered instances of misconfigured data storage, inadequate oversight of vendor-provided storage of customer records and data classifications policies and procedures that have been lacking, according to the report. The observations apply to both in-house and cloud-based storage and can sometimes be traced all the way back to when the system was installed. “Often, misconfigured settings resulted from a lack of effective oversight when the storage solution was initially implemented,” the report noted.
“Simply utilizing a network storage solution with robust security capabilities is not enough,” explained GJ King, president at RIA in a Box. “Firms need to ensure the system is properly installed and regularly maintained. And if there is an available system security feature not being utilized by the firm, the firm needs to be prepared to explain why it hasn't been implemented.” If security measures like two-factor authentication, which have been shown by tech giants like Google to mitigate the risk of hacking, are available but not activated, that could be “an issue,” added King.
But it’s not all bad news. Regulators observed cases where firms built policies around the installation of new storage solutions, as well as addressed ongoing maintenance with regular reviews and established guidelines for security controls and baseline security configurations. Examiners uncovered instances where firms managed their vendors with a proactive, policy-driven approach to software patches and hardware updates, including reviews to ensure updates didn’t modify pre-existing security configurations.
The examiners’ recommendations for software patches and hardware updates is “fairly prescriptive guidance,” said King. “RIA firms should consider incorporating a review of software patch and hardware update procedures when performing third party vendor due diligence.”
The risk update concluded with a note of caution for firms, regarding the third-parties they use. Regulators encouraged firms to “actively oversee any vendors they may be using for network storage to determine whether the service provided by the vendor is sufficient to enable the firm to meet its regulatory responsibilities.”