SEC Risk Alert - Data Security and Use of Third Party Vendors

David McNeal, Consultant and Contributor of My Compliance Blog

Cory Roberson, Principal of FIN Compliance and FIN Lancer

May 30, 2019. The SEC Office of Compliance Inspections and Examinations (“OCIE”) published a security risk alert based on their findings of broker-dealer and investment adviser firms storing electronic customer records and information using various types of storage, including third-party vendor solutions.

Data Protection – (Rule: S-P. 17 C.F.R. 248.30(a)) requires every SEC-registered broker-dealer and investment adviser to adopt written policies or procedures addressing administrative, technical and physical safeguards in place to protect customer records and information.

During examinations, OCIE staff reported the following concerns that may raise compliance issues under Regulations S-P and S-ID:

Misconfigured network storage solutions.

In some cases, companies have not properly configured their network-storage solution's security settings to protect against unauthorized access. Moreover, some companies did not have policies or procedures to address their network storage solutions ' security configuration. Furthermore, incorrect configuration resulted from inefficient monitoring of existing storage solutions.

Inadequate oversight of vendor-provided network storage solutions.

In other cases, companies have not made sure that the safety settings for networking solutions provided by the vendor are configured according to the company's standards of policies, procedures, contractual provisions or otherwise.

Insufficient data classification policies and procedures.

Lastly, the OCIE reports that policies and procedures of some companies have not identified the different data types electronically stored by the firm and the appropriate checks for each data type.

For instance, the popular CRM vendor Redtail experienced a data breach due to “inadvertently stored investors' personal information on a debug log file.”  Cybersecurity experts think that this vendor is not alone in its risks associated with accessing data in debug mode.

Red Tail case study: Data breach/data classification issues.

Effective Practices

The risk alert recommends firms to implement a configuration management program that includes data classification, vendor supervision and security policy and procedures to mitigate risks associated with the use of on-site or cloud network storage solutions.

The OCIE suggests the following examples are features of effective configuration management programs, data classification procedures, and vendor management programs, including:

Policies and procedures designed to support installation of the network storage solutions, ongoing maintenance and regular review.

Security check guidelines and baseline configuration standards to ensure proper protection levels for each network solution.

The vendor management policies and procedures should include, among other things, regular software patch and hardware updates and reviews to ensure that such patches and updates have not changed, weakened or otherwise modified safety settings unintentionally.

The OCIE highlighted risks related to broker-dealers and investment advisors using the cloud and other types of network storage solutions for securing electronic records and information.

The risk alert can be found at:

https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf

Cloud Directory Users: Our cloud data security on FIN Compliance

Our RIA Cloud Storage is powered by Google Cloud Platform, a third-party cloud computing service by Google that offers hosting on the same supporting infrastructure that Google uses internally for end-user products like Google Search and YouTube. Cloud Platform provides developer products to build a range of programs from simple websites to complex applications. FIN Compliance is not affiliated with Google nor any of its affiliates.

Google maintains the following security certifications:

SOC1™ (SSAE-16/ISAE-3402) - G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine

SOC2™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine

SOC3™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine

ISO27001 - for G Suite and Google Cloud Platform

ISO27017 - for G Suite and Google Cloud Platform

ISO27018 - for G Suite and Google Cloud Platform

HIPAA - G Suite, Google Compute Engine, Google Cloud Storage, Google Big Query, Google Cloud SQL

HIPAA - Google App Engine, G Suite

FEDRAMP - Google App Engine, G Suite

Second factor authentication

Users can add another layer of security through the use of password Security Questions. 

In addition, we recommend firms to implement a policy for password storage, updating passwords, employee recordkeeping, access privileges, and other data safeguarding in their compliance/operations manuals.  We encourage the use of encrypting any document files that contains customer personal identification information.

Security enhancements/updates

Based on these alerts, we will be creating our configuration management program to include data classification, vendor supervision and security procedures to mitigate risks associated with our on-site or cloud network storage solution. 

An overview of these policies will be updated on our Disclaimers/Security page found here: https://fincompliance.io/Disclaimers

Clients may contact us for more information on our cloud storage system capabilities. 

---

Compliance/Business Management Systems

About FIN Compliance 

FIN Compliance (FinCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, FIN Ventures, providing business/startup strategies, and FINLancer, a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q4 2019).  

Access all services on one site: FINCompliance.io.

Review our brochure here

Our Products and Services

RIA Registration Services:  Adding new Jurisdictions
Compliance Consulting:  Ongoing review Assistance, policy & procedures, and filings.
Compliance Management System: for internal review process.
Business Management System: for Project/Task Delegation, Business/Firm Directory, E-contracts, workflows, and more 

Succession Planning/Transition and, Partner Matchmaking Services

We are pleased to announce a new deal flow service that includes transition planning, deal flow, and partnerships. We will have more information available as our offering develops.  Both older and new advisors alike can begin to prepare for changes in the industry.  It’s a good time to evaluate opportunities whether you are a young firm looking to buy a book of business or an older advisor looking to establish an exit for retirement.  For firms interested, we are offering a matchmaking service to connect older and new firms together for deal flow, succession planning, partnerships, and more.  

Email Us to schedule a brief session to review needs

Business Directory 

Impact

FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.