You are here

SEC Risk Advisory on Third Party Data Storage

Safeguarding Customer Records and Information in Network Storage 

Many organizations—especially broker-dealers and investment advisory firms—are increasingly relying on cloud solutions for data storage. These solutions offer compelling capabilities and flexibility, but not without introducing new risks to your data security environment. OCIE recently released a Risk Alert describing their recent exam findings around data storage solutions, which highlighted three common issues:

  • Cybersecurity of the storage devices and applications is often inadequate. While the vendor providing the solution typically handles security of the infrastructure and makes user-level security features available, many organizations failed to fully utilize those features. These may include user access restrictions, authentication mechanisms, alerting and reporting, encryption options, protocol and service options, and much more. A security hardening standard should be in place to ensure that these features are configured appropriately for your risk profile.
  • Due diligence and monitoring of the vendors themselves was sometimes inadequate.Vendor management is increasingly key to many organizations who rely on third-party outsourcers. You must ensure that vendors protect the confidentiality, integrity, and availability of your data in accordance with your standards. An effective vendor management program sets policy surrounding risk assessment, selection due diligence, contract structuring, and ongoing monitoring.
  • Many firms did not have a formal data classification policy to govern their data storage, retention, and disposal procedures.Creating an inventory of all data that you store or process, and identifying where confidential or otherwise sensitive data is stored, allows you to configure storage solutions with appropriate security features, retention periods, and destruction methods according to the data’s risk requirements.

Adopting cloud solutions can reduce the administrative burden on your IT department, but managing their associated risks is difficult. Wolf & Company offers a broad range of technology assurance and advisory services to keep your firm ahead of the curve, out of regulatory hot water, and safe from cyber threats. 

Still have questions about SEC Risk Advisory on third party data storage? Reach out to Ryan Rodrigue, Principal at, or Jason Clinton, IT Assurance Supervisor at


June 3, 2019