OCIE Warns of Cloud-Based Server Security Risks
WHAT HAPPENED?
Last week, the Office of Compliance Inspections and Examinations (OCIE) discovered several security risks related to the storage of customer information by broker-dealers and advisers, particularly related to the use of cloud-based servers. The primary risk was found to stem from firms choosing not to utilize available security features on storage platforms.
OCIE identified several common issues which could result in gaps in Regulation S-P and S-ID compliance:
- Inadequate Policies and Procedures governing network installation, maintenance and review of network storage solutions: Some firms examined did not have policies and procedures in place to ensure cloud-based networks would be properly configured upon initial implementation. This led to inadequate network security overall.
- Insufficient Vendor Oversight: In other cases, firms’ existing policies and procedures regarding security of vendor-provided storage solutions were not followed or properly overseen.
- Failing to classify and protect data based upon risk: Some examinations revealed that firms had poorly drafted policies or procedures in place for classifying and protecting data of varying risk levels, putting highly sensitive data at-risk.
To strengthen data storage security, OCIE recommends conducting ongoing review of storage solutions, drafting guidelines for properly configuring these systems, and implementation of comprehensive vendor management policies.
WHAT DOES THIS MEAN FOR ME?
A lack of security, including misconfiguration of data storage technology, poor oversight of vendor-provided network storage, and failure to scale security measures to protect data of different risk levels on cloud-based storage platforms, can leave data vulnerable to access by unauthorized persons.
Creating and implementing a dynamic cyber security program, aligned with Regulation S-P and S-ID requirements, is a key element in gaining client trust and maintaining a full compliance program.
Fairview Cyber provides clients full-service vendor management, including: remote and onsite due diligence reviews and maintenance of an approved vendor list; complete drafting of cyber security policies and procedures; and ongoing penetration testing.
If your firm is seeking to supplement your cyber and vendor management support, Fairview Cyber can help. Contact us to learn more about what we can do for your business.