Investment advisers and other financial firms should ensure customers' electronic information is handled securely, the SEC's Office of Compliance Inspections and Examinations said in a Risk Alert.
Security risks related to storage of electronic customer records in various network storage solutions, including cloud-based, came up during OCIE exams. Examiners noted that in some cases, while financial firms had security features designed to prevent unauthorized access, they were not always using them. Other problems noted were network storage devices with weak or misconfigured security settings, a lack of policies or procedures on security configuration, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures.
While the May 23 risk alert expressed the views of OCIE staff, not the SEC, the concerns "may raise compliance issues," the alert said.
Financial firms should review customer information storage policies and procedures for possible improvements and "actively oversee" vendors used for network storage. The risk alert offers examples of what it considers effective practices and standards.
