In this Ropes & Gray podcast, asset management partners Laurel FitzPatrick and Joel Wattenbarger discuss the Risk Alert published on May 23, 2019 by the SEC's Office of Compliance Inspections and Examinations, which addresses the obligation to safeguard customer records and other information in cloud-based or network storage solutions.

Transcript:

Joel Wattenbarger: Hello, and thank you for joining us today on this Ropes & Gray podcast, the latest in our series of podcasts and webinars focused on private fund regulatory issues. I'm Joel Wattenbarger, a partner in our asset management group based in New York. Joining me today is Laurel FitzPatrick, a partner in our asset management group also based in New York. Today, we are going to be discussing the Risk Alert published on May 23, 2019 by the SEC's Office of Compliance Inspections and Examinations, or OCIE for short, discussing the obligation to safeguard customer records and other information in cloud-based or network storage solutions.

Laurel, this Risk Alert is not intended to impose new obligations on registered investment advisers or broker-dealers, but rather to highlight some of the common deficiencies the OCIE is seeing with respect to investment advisors' recordkeeping practices. Perhaps it makes sense to briefly summarize the recordkeeping obligations the Risk Alert is addressing.

Laurel FitzPatrick: Of course. This Risk Alert considers the use of network or cloud-based storage and how the use of those platforms may cause a registered investment adviser or broker-dealer to run afoul of Regulation S-P or Regulation S-ID, each of which imposes obligations on financial institutions to protect the confidentiality of their customers' personal information. Registered investment advisers, depending on their clients, may or may not, or may have varying, substantive obligations under these regulations. Also, they or their private funds may instead have obligations under other similar regulations. Given the general nature of the guidance in the Risk Alert, we view it as providing useful insight into the OCIE's overall thinking about privacy and data security, particularly as applied to the use of outsourced electronic storage solutions.

Joel Wattenbarger: Yes, specifically, the Risk Alert provides what is likely to be an outline for how the SEC staff would consider similar issues arising under Rule 204-2 of the Advisers Act, the so called "recordkeeping rule." In addition to setting out a lengthy list of books and records that registered investment advisers are required to make and maintain, Rule 204-2 contains specific requirements applicable to advisers utilizing electronic storage, which is just about everyone these days. Any advisers storing records electronically, must satisfy the following three conditions:

  1. To maintain and preserve the records, so as to reasonably safeguard them from loss, alteration, or destruction;
  2. To limit access to the records to properly authorized personnel and the Commission (including SEC examiners and other representatives); and
  3. To reasonably ensure that any reproduction of a non-electronic original record on electronic storage media is complete, true, and legible when retrieved.

Laurel FitzPatrick: Exactly. Because the first two of those Rule 204 requirements are intended to address the same risks discussed in the Risk Alert, we look at the Risk Alert as being of interest to all registered investment advisers and their compliance staff. The guidelines in the Risk Alert are, as a practical matter, best practices endorsed by OCIE. They very well may serve as touch points for the SEC's evaluation of investment advisers' obligations to store and maintain all required information, not just materials containing personal information. The Risk Alert highlighted three deficiencies in the implementation and use of network and cloud storage. First, the OCIE staff observed that network storage typically permits investment advisers to implement a variety of security features designed to prevent unauthorized access to stored information, it was often the case that these features were not activated or were incorrectly configured. In some cases, advisers made no changes to the default settings. These issues were frequently the result of a lack of oversight during the initial implementation of the storage solution and continued as a result of the lack of any regular or ongoing review of the storage platform and its access and security settings.

Joel Wattenbarger: As the Risk Alert notes, avoiding this pitfall may be as easy as ensuring that an investment adviser's compliance and information technology teams work together on the initial onboarding of a new storage solution to ensure that security settings are appropriately configured and that access controls are consistent with regulators' expectations and with the adviser's compliance policies and procedures. Advisers should also periodically revisit security and access controls to confirm that they remain appropriate.

Laurel FitzPatrick: The second deficiency identified by the OCIE staff was, in principal, the same as the first, but specific to cloud-based storage solutions. Like network storage solutions controlled end-to-end by the adviser, cloud-based storage solutions typically include a number of security and access control features that an investment adviser can implement and configure.

Joel Wattenbarger: And, similarly, this deficiency can be avoided if an adviser's compliance and IT teams work together when onboarding a cloud-based storage solution to ensure that the security and access control features and settings are configured in a manner consistent with the adviser's policies and procedures and its obligations under the various regulations addressing privacy and data security. Advisers should also consider requiring cloud-storage vendors to periodically update software and, if applicable, hardware to maintain and enhance the security and access controls over the term of an engagement.

Laurel FitzPatrick: The third deficiency outlined in the Risk Alert was a failure to accurately identify different types of data stored electronically, and, as a result, a failure to ensure that heightened security or access control measures applied to all applicable data. This can be a difficult issue to address, but registered investment advisers are required to have policies and procedures to identify and retain specific types of information under the Advisers Act Rules 204-2(a)(7) and 206(4)-7, and these policies likely already capture personal information by virtue of the types of materials that are required to be retained or can be expanded as necessary to cover additional types of correspondence and other documents that may contain personal information.

Joel Wattenbarger: Well thank you, Laurel, for joining me today for this discussion. And thank you to our listeners. For more information on the topic we discussed today, or other topics of interest to the private fund community, please visit our website at www.ropesgray.com. And of course, if we can help you navigate any of these areas, please don't hesitate to contact any one of us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.