Office of Compliance Inspections and Examinations (“OCIE”)
On May 23, 2019 OCIE released a risk alert based on identified security risks associated with the storage of electronic customer records in various network storage solutions, including those leveraging cloud-based storage. The following concerns were identified by OCIE staff related to compliance with issues under Regulations S-P and S-ID:
- Misconfigured network storage solutions – security settings on network storage solutions not adequately configured to protect against unauthorized access. Policies and procedures for some firms did not address security configuration of their network storage solution which often resulted in a lack of effective oversight.
- Inadequate oversight of vendor-provided network storage solutions – some firms did not ensure thorough policies, procedures, contractual provisions or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards.
- Insufficient data classification policies and procedures – firm’s policies and procedures, in some cases, did not identify the different types of data stored electronically and the appropriate controls for each type of data.
The risk alert also provides examples of effective practices which includes policies and procedures governing data classification, vendor oversight, and security features:
- Initial installation, on-going maintenance, and regular review of the network storage solutions policies and procedures;
- Guidelines for security controls and baseline security configuration standards for the proper configuration of the network security; and
- Policies and procedures for vendor management that include regular implementation of software patches and hardware updates; reviews to ensure the implementation of those patches and updates did not change, weaken or modify the security configuration, among other things.
Firms are encouraged to review their practices, policies and procedures surrounding the storage of electronic information to determine if any improvements are necessary. Firms are also encouraged to actively oversee vendors they use for network storage to determine if the service provided by the vendor enables the firm to meet its regulatory responsibilities.