Regulations regarding privacy, cybersecurity and the use of technology seem to be in constant flux. Compliance consultants and vendors do their best to stay on top of them, but ultimately neither are regulated by the SEC, FINRA or the states. Instead, it is the registrants who will be held accountable—both by their clients and their regulators—when data is lost, stolen or misused.
Adding to an increasingly long line of guidance, the SEC’s Office of Compliance Inspections and Examinations (the “OCIE”) released a Risk Alert (the “Alert”) last Thursday that highlighted risks associated with the storage of customer records and information by broker-dealers (“BDs”) and registered investment advisers (“RIAs”) in cloud-based systems and other network storage solutions. In the Alert, the OCIE identified multiple storage practices that put customer information at risk of unauthorized access and raise concerns under Regulations S-P and S-ID.
Key concerns identified by the OCIE in its Alert included firms’ failure to:
The OCIE noted that RIAs and BDs can help mitigate security risks through a strong configuration management program that includes policies and procedures governing data classification, vendor oversight and security features. It noted that effective programs included features such as:
Finally, the OCIE encouraged BDs and RIAs to review their practices, policies and procedures with respect to the storage of electronic customer information; to actively oversee the vendors they use for network storage; and to consider whether any improvements are necessary. BDs and RIAs should consult with counsel with respect to these reviews. As an additional step, BDs and RIAs can review current and proposed vendor agreements to identify and understand risks they may present as well the applicability of indemnification provisions.
You have a variety of tools to help you meet the regulatory obligations outlined in the Alert. If you choose to use compliance consultants or vendors to help you meet your retention and security obligations, it is absolutely incumbent upon you to ensure the solution that you choose fully complies with all applicable state and federal rules. Often, vendors offer a range of products and services that are not compliant unless they are expertly configured and continuously maintained with specific attention to current requirements.
A few practical considerations to keep in mind:
Further, while not specifically discussed in the Alert, the practices at issue also prompt concerns relating to cybersecurity (a 2019 examination priority) and compliance with FINRA’s and the SEC’s recordkeeping requirements, particularly SEC Rule 17a-4(f) (for BDs) and SEC Rule 204‑2(g) (for RIAs). These rules prescribe the form and manner of record retention and regularly form the basis for enforcement proceedings and the assessment of large fines, even when no harm has resulted from the violations.
If you have any questions related to protecting your network storage solutions from security risks, or about any other aspect of the regulation of BDs and RIAs, please feel free to contact us.
By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton