The Office of Compliance Inspections and Examinations (“OCIE”) issued a brief Risk Alert ( the “Alert”) on May 23, 2019 describing how firms can successfully manage and store electronic records in a safe and secure manner. The Alert was based upon recent SEC examinations of both investment advisers and broker-dealers and is meant to address issues with both internal and external network storage solutions.
This time around the Staff described both deficiencies found during examinations, as well as best practices. Some deficiencies discovered included:
- Misconfigured security settings on networks, typically occurring upon implementation
- Lack of vendor oversight to ensure security settings met firm specifications
- Weak data classification policies that did not take into account various data types and the specific controls needed for each
Best practices identified were essentially the opposite of the above, finding that firms had:
- Written policies which covered the installation, maintenance and routine review of electronic storage solutions
- Guidelines for security controls and baseline configuration standards
- Vendor oversight that included enforcement of software patches and hardware updates during reviews to make sure the patches and updates did not have a detrimental impact on security configuration
The timing of this Alert comes while OCIE is still in the midst of its third cybersecurity sweep. Registered firms should not wait to adopt the best practice methods described and should ensure that firm Reg S-P and Reg S-ID policies meet the SEC’s requirements upon examination.