"Weak or misconfigured security settings on a network storage device could result in unauthorized access to information stored on the device."
OCIE staff identified the following concerns that may raise compliance issues under Regulations S-P and S-ID.
- Misconfigured network storage solutions. Some firms did not adequately configure the security settings on their network storage solution to protect against unauthorized access. In addition, some firms did not have policies and procedures addressing the security configuration of their network storage solution.
- Inadequate oversight of vendor-provided network storage solutions. Some firms did not ensure, through policies, procedures, contractual provisions or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm's standards.
- Insufficient data classification policies and procedures. Some firms' policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data.
As to the recent exam sweep letter sent to RIAs regarding their cyber due diligence, Askari Foy, managing director of ACA Aponix, a global regulatory cybersecurity firm, told ThinkAdvisor in an email message that "when considering these recent requests for information, it is becoming increasingly evident that the SEC is intent on understanding vendor risk cybersecurity concerns for RIAs — particularly when it comes to cloud service providers."
The SEC, Foy said, "is placing a strong focus on personally identifiable information of both employees and investors, and the material nonpublic information that RIAs manage and share with third-party vendors. ACA has observed through our work with RIA clients the maturation of cyber programs, but there's still much work to be done across the sector."
Foy stated that "there is a wide range of data that RIAs share with vendors, though the exposure that each RIA has with its cloud service provider varies. The SEC wants evidence that RIAs are doing all that they can to identify, monitor and mitigate the risk associated with vendors that custody data or access data networks."