OCIE Risk Alert Assesses Risks Associated With Storage of Electronic Customer Records

On 23 May 2019, the US’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert exploring the safeguarding of customer records and information in network storage.

Following recent examinations, OCIE has identified security risks associated with the storage of electronic consumer records, especially those utilising cloud-based storage options. It noted that, while these cloud solutions invariably offer high-end security features, businesses are failing to utilise them appropriately. Concerns raised by OCIE included the misconfiguration of network storage solutions, inadequate oversight of vendor-provided network storage solutions and insufficient policies and procedures surrounding data classification.

OCIE highlights that a configuration management program that comprises policies and procedures that will govern data classification, vendor oversight and security features will all help mitigate the risks of cloud-based solutions. OCIE calls on broker-dealers and investment advisers to consider whether improvements are needed within their current systems. Moreover, it encourages them to actively oversee any vendors it has engaged in cloud-based storage to ensure that the service provided is sufficient in enabling the firm to meet its regulator requirements.