The SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert warning firms to monitor and supervise third-party cloud providers that house their regulatory data. OCIE has observed many firms failing to properly configure security settings and thereby neglect to utilize available security services such as encryption and password protection. OCIE has also seen weak oversight of third-party cloud providers including failures to assess information security and utilization of available security features. OCIE would like to see significant policies and procedures addressing the installation, maintenance and review of network storage solutions as well as robust vendor management policies that require the regular implementation of software patches and hardware updates.
Firms can (and probably should) outsource their network and data storage to qualified vendors, but they cannot abdicate their responsibilities to ensure the data is protected from unauthorized intrusion. The compli-pros must work with the IT folks to assess the cloud provider’s ongoing compliance.