With the transition into the electronic storage of client data, Investment Advisers and Broker-Dealers are faced with more complex compliance issues regarding safeguarding client information and records. The United States Securities and Exchange Commission (“SEC”) OCIE Risk Alert from May 2019 addresses some of the issues and concerns identified with cloud-based storage and possible issues to consider regarding the protection of electronic client and business data.
Cloud-Based Storage for Safeguarding Client Information
Many firms hire outside consultants or technology firms to assist with establishing cloud-based storage for their Books and Records data. During recent Advisory Firm examinations, the SEC highlighted several issues about safeguarding client information according to Regulations S-P and S-ID. A few of the issues identified included “misconfigured network storage solutions”, “inadequate oversight of vendor-provided network storage solutions”, and “insufficient data classifications policies and procedures”.
Safeguarding Client Information and Records
In some of the highlighted situations, the initial set-up of the storage solutions lacked adequate controls to properly protect client data. Reviewing and implementing controls at the onset of the installation of the cloud-based system will aid in mitigating these possible issues. It is imperative to understand the architecture and capabilities of the cloud-based solution and how the system will address the requirements for safeguarding client and business data. Also, the establishment of policies and procedures that addresses regulatory issues to protect client data now and in the future.
Classification of Client and Business Data
Another area of concern identified in the OCIE Risk Alert indicated Advisors stored various types of data in their cloud-based systems that had not been properly classified. Outlining and designing the system for the most effective usage and separation of the data are important elements to consider. To properly protect client and business data, Advisory firms should examine all the elements of utilizing cloud-based systems for both the safety and effectiveness of data retrieval. Also, the establishment of policies and procedures that outline storage classifications and security guidelines should be implemented and maintained.
Due-Diligence of Information Technology Service Providers
One final area highlighted by the SEC was the need for “regular implementation of software patches and hardware updates followed by reviews to ensure that the patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.” When utilizing a third-party provider for areas as critical as client data, it is important to implement due diligence reviews and monitoring of the Technology Provider and their services. It is wise to incorporate Advisory firm testing of the Technology Provider’s services to ensure adequate controls and procedures are being maintained. Technology is an important and valuable tool for Advisory firms. Prudent firms will conduct due diligence, obtain knowledge and understanding about the technology and its usage, and outline policies and procedures to safeguard the client and the firm’s business data.
Click here to read the full OCIE Risk Alert.
For more topics related to the importance of cybersecurity programs for Investment Advisers and Broker-Dealers, our previous blogs on the topic are a great place to start.
Click to explore our articles on topics relating to Broker-Dealers.