issued May 23, 2019
The U.S. Securities and Exchange Commission (“SEC” or the “Commission”) has again commenced a series of cybersecurity examinations of registered investment advisers. The SEC distributed numerous request letters in May to gather registrant information pertaining to vendor diligence and oversight of cloud providers. The Commission is scrutinizing adviser policies and procedures which relate to the identification and monitoring of risks attendant to client information stored on third party vendor platforms. In general, advisers have a fiduciary duty and regulatory obligation pursuant to privacy regulations and cybersecurity guidance to ensure that non-public client information residing on third-party platforms remains secure and protected from misappropriation.
On May 23, 2019 the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert entitled “Safeguarding Customer Records and Information in Network Storage – Use of Third-Party Security Features.” OCIE cited issues identified in recent broker-dealer and adviser exams, highlighting their concerns about the cybersecurity risks associated with the storage of electronic customer records and information. This scrutiny extended to various network storage solution and configuration schemes and included those utilities which leverage cloud-based solutions.
This recent guidance underscores the SEC’s intent to continue scrutinizing various cyber risk sets which are evident in a firm’s tech architecture and related vendor risk management protocol. As fiduciaries, advisers are responsiblefor safeguarding client non-public information thereby placing significant emphasis upon ongoing vendor due diligence.
This latest Risk Alert highlighted effective and ineffective cyber practices observed by the SEC Staff during recent examinations.
The Good …
- Policies and procedures designed to support the initial installation, ongoing maintenance, and regular review of network storage solutions
- Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly
- Vendor management policies and procedures that include regular implementation of software patches and hardware updates followed by reviews of same to ensure that such patches and updates do not unintentionally change, weaken, or modify security configurations
The Bad …
- Misconfigured network storage solutions – firms did not adequately configure the security settings on their network storage solutions or failed to adopt policies and procedures addressing the security configuration of storage devices
- Inadequate oversight of vendor-provided network storage solutions – firms did not adopt policies, procedures, contractual provisions, or controls to ensure that security settings on network storage solutions were configured in accordance with the firm’s standards
- Insufficient data classification policies and procedures – policies and procedures did not identify the different types of data stored electronically by the firm nor the appropriate controls for each type of data
The Ugly …
- In November 2016, a broker-dealer was assessed a $650,000 penalty for using a third-party cloud provider and failing to ensure that provider installed anti-virus software or data encryption; foreign hackers accessed the server and exposed the confidential records of 5,400 customers
- When Risk Alerts emerge, enforcement actions are often not far behind
Information technology is constantly evolving, which creates the opportunity for businesses to have better, faster, cheaper access to their information. The advent of the cloud over the past decade has greatly impacted the methods and options for firms to leverage technology. These advantages have also created additional liabilities and risks. Every technology service provider (applications, hardware, and services) has established security and performance best practices. It is critical for all businesses to be aware of these best practices, implement those that make sense, and constantly audit existing and new best practices. This can be done through in-house IT resources or trusted third parties however, it should be a regular, documented business process that is visible to the adviser’s decision makers.
Technology has the capability to create a powerful platform from which to run a business, but also has the capability to bring a business to its knees and jeopardize its foundation. Thoughtful and disciplined IT management strategies reduce the risks presented by technology.
To mitigate the risks related to cloud providers, consider the following actions:
- Create a data inventory which identifies all forms of sensitive information maintained by the firm in all its forms, mapping such information to internal controls designed to protect it.
- Meet with your IT staff/vendors and review procedures related to the installation, ongoing maintenance, and regular review of network storage devices.
- Require IT staff/vendors to certify in writing that network storage devices are properly configured to maximize security.
- Review policies governing the installation of software patches and hardware updates to ensure that procedures are in place to test systems following installation to ensure proper security configuration.
- Conduct and document oversight of cloud providers.
It is important to note the outsized nature of the enforcement action cited above (5,400 clients and a $650,0000 penalty). Penalties associated with cyber breaches generally are levered to the number of client files implicated in a security breach … a conservative estimate for most advisers would peg several dozen records or files per client. Enforcement actions related to cyber vulnerabilities and breaches are on the rise as is the reputational risk attendant to them.
View the Risk Alert here.