SEC Issues Risk Alert on Cloud Storage of Client Records

SEC Issues Risk Alert on Cloud Storage of Client Records


Marc Capobianco

The U.S. Securities and Exchange Commission (SEC) has commenced a series of cybersecurity examinations on registered investment advisers (RIA’s).  It is evident the SEC is committed to understanding Cyber-related risks not only at RIAs, but with RIAs’ technology partners.  RIA’s are not able to simply move their client data and workloads to a third party cloud provider and consequently shift the compliance requirements to the cloud provider.  RIA’s must carefully assess their entire attack surface and implement a configuration management program that includes policies and procedures governing data classification, vendor oversight and proper security configuration to mitigate the risk of cloud-based providers.  As more firms continue to transition to cloud-based solutions, cybercriminals are simply shifting their focus and adapting their tactics to locate and steal valuable data.

What actions should your firm take when moving to a cloud provider?

1.  Enable advanced security features offered by the cloud provider.
-Enable data encryption (at rest and in transit)
-Enforce password complexity, account logouts and multi-factor authentication
-Enable audit tracking and event logging
-Disable legacy and weak authentication protocols
2.  Implement policies and procedures designed to support the installation, ongoing maintenance and regular reviews of cloud providers.
3.  Establish a baseline security standard and guidelines for security controls to ensure each cloud instance is properly configured.
4.  Implement vendor management policies and procedures that include regular patch management and hardware updates. Review and verify whether patches or updates did not unintentionally alter or weaken the established baseline security configuration.

For more information on this SEC Risk Alert please see:

#compliance #cybersecurity #OneStepAhead


Leave a Reply

Your email address will not be published. Required fields are marked *


HTML tags are not allowed.