The Securities and Exchange Commission’s May 2019 Risk Alert that identified security
risks associated with the electronic storage of customer records and information
specifically called out the use of third
party cloud-based storage systems.
You might wonder why your firm
would be responsible for the security of a
third-party system, but today’s technology
security requirements go beyond the coding, architecture, and intellectual property of a particular system. As this SEC Risk
Alert offers valuable insights that impact
your technology, it’s important to evaluate
some of the issues it raised.
Many advisors may remember the
days where they truly “owned” the security infrastructure for their firm. They
didn’t have the option to use a cloud-based storage system. The electronic
storage of customer records was likely
on a server located in their office.
Hopefully they understood the critical security aspects for this device and
therefore limited who could access it.
The beginnings of the classic “
administrator” versus “user” permission rights.
And the administrator was responsible
for maintaining the server, which of
course included its own security.
HERE COME THE CLOUDS
Cloud-based systems changed the
areas of attention and focus, but security responsibilities weren’t necessarily reduced. You are no longer directly
responsible for certain areas — like physical security of the device or redundancy and back-up processes — which
are “foundational requirements” for the
cloud-based company that you select.
However, you still control the keys to
the kingdom, which accounts for a large
part of the SEC’s Risk Alert. You would
never give all your employees direct
access to the server in your office, but
have you done it (inadvertently) with
your cloud-based storage systems?
Your firm is utilizing all the security
features available with the cloud-based
system, including features like user ID
and password standards, 2-step verification, internet protocol address tracking,
etc. Furthermore, cloud-based companies are regularly improving their security parameters and recommendations …
or at least they should be.
Is your firm regularly adopting these
new security options and best practices?
The last thing you want is for a regulator to
inform you in a deficiency letter about the
availability of one of these items. This type
of situation was directly mentioned in the
SEC’s Risk Alert. Just like staying on top
of regular operating system and software
updates, you need to have a similar focus
for your cloud-based storage systems.
Our profession certainly has benefit-
ed from the technology efforts focused
on improved data interfaces and inte-
grations across multiple cloud-based
systems. Of course, there also are risks
that need to be mitigated in this “data
As was covered in the SEC Risk Alert,
do you know the “what, where and how”
of the data stored on each of these systems?
Ideally, you should have a systems diagram
that clearly answers these questions. For
example, you should document the data
stored in your financial planning application. This might include client account
data, tax details, documents, and non-direct client information (beneficiaries).
Your systems diagram will have to
be a fluid document as these products
release new features and integrations
are enhanced. Ultimately, you want to
demonstrate that you know the details
for all aspects of your data storage,
whether on your firm-owned resources
or with a cloud-based system.
The SEC Risk Alert also discussed the
importance of regular oversight and management of your vendor relationships
(e.g. cloud-based systems). This begins
with the research and evaluation that you
conducted for selecting the vendor, and
then, how you incorporated the vendor’s
role in your policies and procedures once
you began to use their services.
This effort needs to continue as you
regularly review the vendor relationship
ensuring that expectations and standards
are being met. The vendor also should be
making regular technology updates and
changes, and it is critical that your firm
is involved in implementing the updates
in your environment. This is especially
true for any changes that might require
updates to your firm’s procedures.
Dan Skiles is the president of Shareholders
Service Group in San Diego. He can be reached
THE TECHNOLOGY COACH
By Dan Skiles
Digging Deeper Into SEC’s Recent Risk Alert
Third-party storage doesn’t mean leave it and forget about it. Here are the
salient points of the regulator’s report.