In recent years, the United States Securities and Exchange Commission has heightened its emphasis on cybersecurity requirements for firms. Routine examinations now often involve in-depth requests for information on firms’ cyber and data security practices, which are areas of evolving risk for all market participants.
Most investment advisers and broker-dealers use a cloud-based platform for storage of electronic client and business records. This essential business service can create possible compliance gaps and cybersecurity issues if poorly administered or through misuse of security features.
During routine examinations of investment advisers, the SEC identified several potential risk factors and common compliance errors among firms related to electronic records storage and cloud-based servers.
KEY RISK FACTORS
- Inadequate policies and procedures regarding network installation, maintenance, and review of network storage solutions: A lack of policies and procedures designed to ensure cloud-based networks are properly configured upon initial implementation can lead to inadequate network security overall.
- Insufficient vendor oversight: Policies and procedures regarding security of vendor-provided storage solutions must be properly, written, implemented, and overseen internally.
- Failure to classify and protect data based upon risk: Lack of policies and procedures for classifying and protecting data of varying risk levels could put highly sensitive data at-risk in the case of a network breach.
WHAT DOES THIS MEAN FOR ME?
To strengthen data storage security, it is recommended that your firm conduct ongoing review of storage solutions, adopt guidelines for properly configuring these systems, and implement comprehensive vendor management policies and procedures.
Any area of your firm’s recordkeeping left unsecured can lead to possible deficiencies during examinations or, more importantly, put your client and firm’s data at risk of being exploited by cybercriminals. If you are concerned about your firm’s data security or need assistance drafting and adopting a comprehensive data security plan, Fairview can help. Contact us today for more information about what we can do for your firm.