Focus Perspective: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features

Latest Risk Alert

Risk Alerts from the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) are generally a big deal, identifying problems the examination staff have identified in their examinations of registered entities. The latest Risk Alert, “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features,” released on May 23, 2019, is shorter than the average Alert, at only two pages. However, don’t be fooled by its length, OCIE only issues Risk Alerts on matters it considers important, which means matters that will be important to us, too. The Risk Alert is brief enough to include all but the footnotes, and a link is attached.

I.     Introduction

“During recent examinations, the Office of Compliance Inspections and Examinations (“OCIE”) identified security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage. Although the majority of these network storage solutions offered encryption, password protection, and other security features designed to prevent unauthorized access, examiners observed that firms did not always use the available security features. Weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device.” (emphasis added)

II.     Summary of Examination Observations

“OCIE staff has observed firms storing electronic customer records and information using various types of storage solutions, including cloud-based storage. During examinations, OCIE staff identified the following concerns that may raise compliance issues under Regulations S-P and S-ID:” (emphasis added)

  • “Misconfigured network storage solutions. In some cases, firms did not adequately configure the security settings on their network storage solution to protect against unauthorized access. In addition, some firms did not have policies and procedures addressing the security configuration of their network storage solution. Often, misconfigured settings resulted from a lack of effective oversight when the storage solution was initially implemented.” (emphasis added)
  • “Inadequate oversight of vendor-provided network storage solutions. In some cases, firms did not ensure, through policies, procedures, contractual provisions, or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards.
  • Insufficient data classification policies and procedures. In some cases, firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
III.     Examples of Effective Practices

The implementation of a configuration management program that includes policies and procedures governing data classification, vendor oversight, and security features will help to mitigate the risks incurred when implementing on-premise or cloud-based network storage solutions. During examinations, OCIE staff has observed several features of effective configuration management programs, data classification procedures, and vendor management programs, including:

  • Policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution;
  • Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and
  • Vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.
IV.     Conclusion

In sharing these observations, OCIE encourages registered broker-dealers and investment advisers to review their practices, policies, and procedures with respect to the storage of electronic customer information and to consider whether any improvements are necessary. OCIE also encourages firms to actively oversee any vendors they may be using for network storage to determine whether the service provided by the vendor is sufficient to enable the firm to meet its regulatory responsibilities.(emphasis added)

See Risk Alert


Peter Driscoll, the Director of OCIE, spoke to attendees at an NRS Conference on April 29, 2019 concerning “How We Protect Retail Investors,” highlighting “several areas where OCIE works to protect investors through examinations.”

A. Fees, Expenses, and Related Disclosures

Examiners closely review a firm’s disclosures and identify whether applicable fees and charges were disclosed and compare those disclosures to how the firm in practice is assessing and collecting fees.

Examiners have identified several types of fee and expense discrepancies when conducting these reviews, such as valuing client assets using a process that differs from that described in the client’s advisory agreement, using the market value of the assets at the end of the billing cycle versus using the average daily balance of the account, or including assets in the fee calculation that the advisory agreement stated would be excluded.

B. Safeguarding of Client Assets

OCIE examines for compliance with the Custody Rule, it examines for misappropriation, and it examines to verify the existence of client assets.

1. Custody of Client Assets

The Custody Rule requires advisers with custody of client assets to:

  1. Hold its clients’ funds and securities at a qualified custodian, typically a broker-dealer or a bank, and in a separate account for each client under that client’s name (or in the adviser’s name as agent or trustee for the clients);
  2. Notify its clients of where their assets are being held by promptly informing a client when an account is opened by the adviser and when any changes are made;
  3. Have a reasonable basis, after due inquiry, that the qualified custodian sends account statements to clients at least quarterly; and
  4. Undergo an annual surprise examination or use an approved alternate approach.

The most common deficiency with the Custody Rule is that advisers did not recognize that they had custody of client assets and were subject to the rule.

2. Misappropriation

Misappropriation is basically just another word for stealing. It is imperative that firms have a robust system of internal controls surrounding their representatives’ handling of these funds and assets.

Examiners have identified instances of misappropriation, as well as internal control weaknesses that could lead to misappropriation. Examiners swiftly refer these cases to Enforcement so that they may immediately take steps to prevent any further misappropriation and attempt to recover whatever assets have been taken.

3. Asset Verification

When examiners conduct asset verification, they are seeking to verify the existence and integrity of client assets managed or held by the adviser. The greatest fear an investor may have is that their assets are “no longer there.”

C. Disclosure of Conflicts of Interest

Examiners review an adviser’s disclosures in connection with its operations to evaluate whether the adviser has appropriately identified and disclosed conflicts.

Examiners have observed advisers:

  1. Recommending certain investments to their clients without disclosing their own interest in the investment;
  2. Not providing adequate disclosure about how they would allocate investment opportunities among multiple clients with the same or similar investment strategies; and
  3. Recommending their clients use affiliated broker-dealers or other service providers without adequately disclosing the affiliation or the receipt of compensation for making the recommendation.

D. Firms Borrowing from Clients

The need for the loan can sound innocent enough. Perhaps it is a new and growing adviser with little capital, or a registered representative that recently moved from being an employee representative to an independent representative.

Often, little or no disclosures are provided on the illiquidity of the investment, or the financial incentives that advisers, broker-dealers and their representatives may receive to recommend these products to clients and customers. When examiners see these types of arrangements, they will look at whether all material risks, expenses and compensation are adequately disclosed to clients and customers.

E. Focus on Issues Relevant to Seniors

OCIE recently concluded a review of over 200 investment advisers with a significant senior client base. Among other things, OCIE wanted to gain an understanding of whether advisers with a significant senior client base had policies and procedures that addressed the protection of senior investors. OCIE also focused on whether firms were aware of certain state and federal laws addressing senior financial abuse and exploitation.

Devoting Adequate Compliance Resources & Empowering the CCO

Peter Driscoll’s ending comments addressed the importance of compliance programs and the role compliance officers play in ensuring market participants and firms protect investors.

“We cannot underscore enough a firm’s continued need to assess whether its compliance program has adequate resources to support its compliance function.” 

“We are concerned when we hear directly from industry participants and read press reports that compliance resources and budgets are being cut or are not keeping up with firms’ risk profiles.”

“A CCO, while a critical component to the effectiveness of any compliance program, is just that, one component. As the Advisers Act Compliance Rule states, a CCO is responsible for “administering” the compliance policies and procedures that the adviser, not just the CCO, adopts. Consequently, I believe that compliance obligations and opportunities lie with personnel firm-wide, including importantly senior management and ownership, the tone from the top, and the first line or business side of an enterprise.”

“An empowered CCO should have full authority to develop and enforce policies and procedures and be of sufficient seniority and authority within the firm to compel others – including others in senior management to follow and enforce those policies and procedures.”

See Full Speech

Our Perspective

It’s not the length of the Risk Alert, it’s the language!  The SEC has made the industry aware, time and time again, that protection of client personal information is critical, but some of us just don’t get it. We emphasized in bold italics (italics) language that was especially encouraging.

We particularly liked Director Driscoll’s speech, and especially his statement that the CCO is the administrator of the compliance program, that all members of the firm are responsible for compliance. Back in the olden days we had a saying that, “if a CCO was held responsible for a compliance failure, the CEO was held responsible for a failure to supervise.”

Please remember to thank a military veteran for their service.


Comments are closed.