The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office of Compliance Inspections and Examinations warns firms that relying on those third parties’ security tools is not, in and of itself, sufficient for the companies to demonstrate compliance with Regulations S-P and S-ID. These regulations require broker-dealers and investment advisers to protect customer records and detect and prevent identity theft.
Of concern for the SEC is firms who might have inadequately configured the security settings on their network storage systems–whether on site or cloud-based. Also of concern, and mentioned in the report, is failing to exercise enough oversight over the vendors’ security settings. The SEC warns firms to have policies and procedures sufficient to (a) identify all the different types of customer data and (b) implement appropriate controls to protect each class of data. It also recommends that companies have vendor management policies that provide for regular implementation and monitoring of software patches and hardware updates.
Putting it Into Practice: This alert from the SEC is a reminder that companies cannot rely only on third parties’ representations about security. Companies will also want to exercise proactive and ongoing assessments of both their own and their vendors’ network storage systems’ security settings.
*Katherine Boy Skipsey is a summer associate in Sheppard Mullin’s New York office.