SEC Issues Risk Alert on Cloud Storage of Client Records

 

Marc Capobianco

The U.S. Securities and Exchange Commission (SEC) has commenced a series of cybersecurity examinations on registered investment advisers (RIA’s).  It is evident the SEC is committed to understanding Cyber-related risks not only at RIAs, but with RIAs’ technology partners.  RIA’s are not able to simply move their client data and workloads to a third party cloud provider and consequently shift the compliance requirements to the cloud provider.  RIA’s must carefully assess their entire attack surface and implement a configuration management program that includes policies and procedures governing data classification, vendor oversight and proper security configuration to mitigate the risk of cloud-based providers.  As more firms continue to transition to cloud-based solutions, cybercriminals are simply shifting their focus and adapting their tactics to locate and steal valuable data.

What actions should your firm take when moving to a cloud provider?

1.  Enable advanced security features offered by the cloud provider.
-Enable data encryption (at rest and in transit)
-Enforce password complexity, account logouts and multi-factor authentication
-Enable audit tracking and event logging
-Disable legacy and weak authentication protocols
2.  Implement policies and procedures designed to support the installation, ongoing maintenance and regular reviews of cloud providers.
3.  Establish a baseline security standard and guidelines for security controls to ensure each cloud instance is properly configured.
4.  Implement vendor management policies and procedures that include regular patch management and hardware updates. Review and verify whether patches or updates did not unintentionally alter or weaken the established baseline security configuration.

For more information on this SEC Risk Alert please see:  https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf

#compliance #cybersecurity #OneStepAhead

Earlier this week, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a risk alert for Investment Advisers and Broker-Dealers regarding compliance issues related to Regulation S-P – Privacy Notices and Safeguard Policies.

The key areas identified by the OCIE were failure of firms to provide clients with privacy and opt-out notices, lack of policies and procedures and policies not implemented or reasonably designed to safeguard customer records and information.

Recent SEC examinations identified the following areas as most frequent compliancy deficiencies. 

What steps should your firm be taking?

Personal Devices: Ensure that employees do not regularly store or maintain customer information on their personal laptop without having policies and procedures to address how these devices are to be properly configured to safeguard the customer information.

Electronic Communication: Ensure your firm has policies and procedures to address the inclusion of customer personally identifiable information (PII) in electronic communication.

Training and monitoring: Maintain policies and procedures that require customer information to be encrypted, password-protected, and transmitted using only firm approved methods.  Secondly, provide adequate training and monitoring on these procedures to ensure they are being properly adhered to.

Unsecure networks: Implement policies & procedures to prohibit employees from sending customer PII to unsecure locations outside of the firm’s network.

Outside vendors: Require outside vendors to contractually agree to keep customers’ PII confidential.

PII inventory: Maintain an inventory and identify all systems on which customer PII is maintained.

Incident response plans: Maintain a written incident response plan that identifies and addresses role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.

Unsecure physical locations: Ensure customer PII is stored in secure physical locations.

Login credentials: Ensure customer login credentials are not disseminated to more employees than permitted under firms’ policies and procedures.

Departed employees: Maintain controls to ensure former employees do not retain access rights after their departure.

For more information please visit:  https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf

#Compliance #OneStepAhead #GetTier1Net

 

 

 

 

 

 

 

 

 

 

 

 

1. Start with the data.

2. Understand the value of the data to the business.

3. Elevate data awareness within the firm

https://www.financial-planning.com/news/what-rias-should-learn-from-blackrocks-data-leak

 

Change is Coming to Mass. Data Breach Law effective April 11, 2019. Here is what you need to know”

New Amendments to Massachusetts’ data breach notifications law

 

 

The Financial Industry Regulatory Authority (FINRA) has shared its Report on Selected Cybersecurity Practices — 2018.  This report focuses on firms’ primary challenges and most frequent Cybersecurity findings from FINRA’s examination program. The report highlights the importance of Data Loss Prevention (DLP), Security Information and Event Management (SIEM) Solutions, Penetration Testing and Cybersecurity Training within the firm.

#cyberSecurity #alwaysLeading #getTier1Net

SEC Office of Compliance Inspections and Examinations Announces 2019 Examination Priorities

FOR IMMEDIATE RELEASE
2018-299

Washington D.C., Dec. 20, 2018 —
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) today announced its 2019 examination priorities. OCIE publishes its exam priorities annually to promote transparency of its examination program and provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets. This year, particular emphasis will be on digital assets, cybersecurity, and matters of importance to retail investors, including fees, expenses, and conflicts of interest.

“OCIE continues to thoughtfully approach its examination program, leveraging technology and the SEC staff’s industry expertise,” said SEC Chairman Jay Clayton. “As these examination priorities show, OCIE will maintain its focus on critical market infrastructure and Main Street investors in 2019.”

“OCIE is steadfast in its commitment to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that improve compliance, prevent fraud, monitor risk, and inform policy. We believe our ongoing efforts to improve risk assessment and maintain an open dialogue with market participants advance these goals to the benefit of investors and the U.S. capital markets,” said OCIE Director Pete Driscoll.

This year, OCIE’s examination priorities are broken down into six categories: (1) compliance and risk at registrants responsible for critical market infrastructure; (2) matters of importance to retail investors, including seniors and those saving for retirement; (3) FINRA and MSRB; (4) digital assets; (5) cybersecurity; and (6) anti-money laundering programs.

Compliance and Risks in Critical Market Infrastructure – OCIE will continue to examine entities that provide services critical to the proper functioning of capital markets. OCIE will conduct examinations of these firms which include, among others, clearing agencies, national securities exchanges, and transfer agents, focusing on certain aspects of their operations and compliance with recently effective rules.

Retail Investors, Including Seniors and Those Saving for Retirement – Protecting Main Street investors continues to be a priority in 2019. OCIE will focus examinations on the disclosure and calculation of fees, expenses, and other charges investors pay, the supervision of representatives selling products and services to investors, broker-dealers entrusted with customer assets, and portfolio management and trading.

FINRA and MSRB – OCIE will continue its oversight of FINRA by focusing examinations on FINRA’s operations and regulatory programs and the quality of FINRA’s examinations of broker-dealers and municipal advisors. OCIE will also examine MSRB to evaluate the effectiveness of select operations and internal policies, procedures, and controls.

Cybersecurity – Each of OCIE’s examination programs will prioritize cybersecurity with an emphasis on, among other things, proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security.

Anti-Money Laundering Programs – Examiners will review for compliance with applicable anti-money laundering requirements, including whether firms are appropriately adapting their AML programs to address their regulatory obligations.

The published priorities for 2019 are not exhaustive and will not be the only issues OCIE addresses in its examinations, Risk Alerts, and investor and industry outreach. While the priorities drive OCIE’s examinations, the scope of any examination is determined through a risk-based approach that includes analysis of the registrant’s operations, products offered, and other factors.

The collaborative effort to formulate the annual examination priorities starts with feedback from examination staff, who are uniquely positioned to identify the practices, products, and services that may pose significant risk to investors or the financial markets. OCIE staff also seek advice of the Chairman and Commissioners, staff from other SEC divisions and offices, and the SEC’s fellow regulators.

OCIE is responsible for conducting examinations of entities registered with the SEC, including more than 13,200 investment advisers, approximately 10,000 mutual funds and exchange traded funds, roughly 3,800 broker-dealers, about 330 transfer agents, seven active clearing agencies, 21 national securities exchanges, nearly 600 municipal advisors, FINRA, the MSRB, the Securities Investor Protection Corporation, and the Public Company Accounting Oversight Board, among others. The results of OCIE’s examinations are used by the SEC to inform rule-making initiatives, identify and monitor risks, improve industry practices, and pursue misconduct.

https://www.sec.gov/news/press-release/2018-299