Have You Documented Your Data Storage Vendor Due Diligence?

On May 23, 2019 the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert identifying frequent security risks associated with the storage of electronic customer information. This can include network storage solutions and cloud-based storage. This risk alert follows another alert from just last month that was also focused on the protection of customer information.

In this most recent alert, examiners noted that the key theme of these issues was not a failure of the vendors, but a failure by firms to use security features that were available. This, in turn, leaves firm and customer information potentially vulnerable to unauthorized access. Examiner concerns include the assessment and classification of the types of data stored on a given system due diligence and oversight of third-party storage solutions, and a failure to configure available features to protect against unauthorized access.

What does this mean for CCOs? These concerns should prompt firms and CCOs to reconfirm that you know where personal identifiable information {PII) is maintained. You should be protecting all data, but PII falls into a higher risk category and this should receive the attention it deserves. In addition, for new firms, compare cloud vendors and pick one with the highest level of security. They are not all offering the same level of data protection. For existing firms, check in periodically with the vendors storing your data and ask good questions. In addition, as inconvenient as it might be, enable all security features. Yes, if your IT people do a good job of keeping you and firm employees from accessing firm data (oh no, need to reset my password again), it goes a long way in preventing unwanted intruders.

In the alert, examiners identified features of effective network management programs, including policies and procedures governing data classification, vendor oversight, and security features:

  • Policies and procedures address initial installation, maintenance, and periodic review of information storage solutions;
  • Security control and configuration standards to ensure that each network is configured properly; and
  • Software vendor management procedures that include regular hardware assessment and updates of software patches, followed by reviews to assess any impact to existing configurations and overall security.

While CCOs are not expected to be cyber experts, they need to use alerts like this to ask good questions to vendors and IT personnel. CCOs also need to consider enhancing policies and procedures to ensure 1- an understanding of the sensitivity of the data they are protecting 2- controls are reasonably designed to protect that data and 3-consistent, ongoing implementation of those controls through regular reviews.

The SEC has communicated an expectation of active assessments of the adequacy of those protections and active oversight of vendors. It is important to remember that protecting customer data runs parallel to protecting your clients’ best interests – your responsibility as a fiduciary.