Regulations regarding privacy, cybersecurity and the use of technology seem to be in constant flux. Compliance consultants and vendors do their best to stay on top of them, but ultimately neither are regulated by the SEC, FINRA or the states. Instead, it is the registrants who will be held accountable—both by their clients and their regulators—when data is lost, stolen or misused.
Adding to an increasingly long line of guidance, the SEC’s Office of Compliance Inspections and Examinations (the “OCIE”) released a Risk Alert (the “Alert”) last Thursday that highlighted risks associated with the storage of customer records and information by broker-dealers (“BDs”) and registered investment advisers (“RIAs”) in cloud-based systems and other network storage solutions. In the Alert, the OCIE identified multiple storage practices that put customer information at risk of unauthorized access and raise concerns under Regulations S-P and S-ID.
Key concerns identified by the OCIE in its Alert included firms’ failure to:
- Configure security settings on network storage solutions to protect against unauthorized access, or to address such configuration in their policies and procedures;
- Ensure that security settings on vendor-provided network storage solutions were configured in accordance with the firms’ standards; and
- Identify the different types, or the appropriate controls for each type, of electronically stored data.
The OCIE noted that RIAs and BDs can help mitigate security risks through a strong configuration management program that includes policies and procedures governing data classification, vendor oversight and security features. It noted that effective programs included features such as:
- Policies and procedures supporting the initial installation, ongoing maintenance and regular review of network storage solutions;
- Guidelines for securities controls and baseline security configuration standards to ensure proper configuration; and
- Vendor management policies and procedures that include, among other things, regular software patches and hardware updates followed by reviews to ensure effectiveness of the security configuration.
Finally, the OCIE encouraged BDs and RIAs to review their practices, policies and procedures with respect to the storage of electronic customer information; to actively oversee the vendors they use for network storage; and to consider whether any improvements are necessary. BDs and RIAs should consult with counsel with respect to these reviews. As an additional step, BDs and RIAs can review current and proposed vendor agreements to identify and understand risks they may present as well the applicability of indemnification provisions.
You have a variety of tools to help you meet the regulatory obligations outlined in the Alert. If you choose to use compliance consultants or vendors to help you meet your retention and security obligations, it is absolutely incumbent upon you to ensure the solution that you choose fully complies with all applicable state and federal rules. Often, vendors offer a range of products and services that are not compliant unless they are expertly configured and continuously maintained with specific attention to current requirements.
A few practical considerations to keep in mind:
- Products and services marketed to RIAs and BDs are often also sold to all sorts of other companies for document management purposes. As such, the products are designed for a variety of uses and configurations. You cannot assume that the products will be designed in a way that is regulatory-compliant. Regulatory-complaint usage is typically more expensive than other options. Further, procuring a storage solution from a provider that offers compliant storage is not the same as procuring and maintaining a compliant solution.
- Identifying and choosing the right product is only step one. You must also have policies in place to ensure that you and your employees use the product in a compliant manner, and that there are change management controls in place to ensure that down the road a compliant system is not accidentally altered in a way that renders it non-compliant.
- Review all vendor contracts carefully. For example, with respect to cloud-based storage, you should consider the following:
- Do you maintain ownership, possession and control of your firm's records or can an employee or other authorized user take, alter or destroy your records?
- What rights does the vendor have to purge or destroy your required regulatory records if, for example, your're unable to pay storage fees?
- Consider whether an old-fashioned option (e.g., paper files or microfiche) may work better for your business.
Further, while not specifically discussed in the Alert, the practices at issue also prompt concerns relating to cybersecurity (a 2019 examination priority) and compliance with FINRA’s and the SEC’s recordkeeping requirements, particularly SEC Rule 17a-4(f) (for BDs) and SEC Rule 204‑2(g) (for RIAs). These rules prescribe the form and manner of record retention and regularly form the basis for enforcement proceedings and the assessment of large fines, even when no harm has resulted from the violations.
If you have any questions related to protecting your network storage solutions from security risks, or about any other aspect of the regulation of BDs and RIAs, please feel free to contact us.
By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.