Cloud computing is the delivery of computing services (i.e., storage and network infrastructure and software-as-a-service (“SaaS”)) on the internet rather than your computer’s hard drive. Currently, cloud computing is considered a valuable asset to firms, industry wide. It is important to have Malecki Law’s FINRA Regulatory Lawyers in New York assist in ensuring your firm’s storage systems are sufficient. As a result, the Financial Industry Regulatory Authority’s (“FINRA”) Office of Financial Innovation (“OFI”) published a report addressing the results of a study regarding the state of cloud adoption within the securities industry. In drafting the report, FINRA obtained data from roughly 40 broker-dealer firms, cloud service providers, industry analysts, and technology consultants.
The report noted that cloud computing strengthens a brokerage firm’s ability to scale operations, generate business continuity solutions and quickly deploy products. Moreover, firms claimed that there are both benefits and challenges regarding agility, resiliency, costs, cybersecurity, staffing, and operations. Additionally, many firms claimed that migrating to the cloud may allow them to be more innovative and offer products at a faster speed. Firms also felt that cloud computing enables them to more efficiently scale computer usage to assist with the increase in IT resources.
As part of its recommendations, FINRA advised broker-firms that use third-party service providers that they have an ongoing responsibility to monitor and supervise the provider’s performance and create oversight procedures. FINRA also encourages companies and vendors to “re-evaluate their approach to security, including reviewing cloud misconfigurations and poor access controls; update data-related policies and procedures if a firm’s cloud adoption leads to changes in how it collects, stores, analyzes, and shares sensitive customer data; create, maintain, and annually review a written business continuity plan, in line with the FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information); consider the risk posed by cloud vendors and service providers; ensure that any data and information stored in the cloud is compliant with Exchange Act Rule 17a -4, and are preserved in a non-rewriteable and non-erasable format.”
More specifically, Section 17(a)(1) of the Securities Exchange Act (“SEA”) mandates registered broker-dealers to “make, keep, furnish and disseminate records and reports prescribed by the Securities and Exchange Commission (“SEC”).” Your firm needs a New York FINRA Regulatory Law Firm, like the lawyers at Malecki Law, to identify and explain the requirements under the relevant securities laws. FINRA defines books and records as “the books, accounts, records, memoranda, correspondence, and other documentation or information that firms have to make and preserve in accordance with the federal securities laws, MSRB rules, FINRA rules and all other applicable laws, rules, and regulations.” These books and records must be accurate, true, and complete, and any alteration, falsification, and destruction of the books and records are violations of FINRA and SEC rules. Under FINRA rule 4511, firms must preserve records for at least six years as a default rule if the books and records at issue do not have a preservation time outlined under the FINRA or SEA rules.
SEA Rule 17a-4 governs the requirements for data retention, indexing, and accessibility for companies that trade or deal with the brokering of financial securities such as stocks and bonds. To be compliant with Rule 17a-4, brokerage firms must retain index records of certain transactions on Write Once Read Many (“WORM”) media. WORM media is a type of technology that stores data on a single disk and disables the ability to edit, overwrite, or erase the data on the disk. This requirement assists the SEC, self-regulatory organizations (“SROs”), and state securities regulators conduct effective examinations of broker-dealers.
WORM compliance can be achieved through cloud computing. To be compliant, brokerage firms can engage in software-as-a-service (“SaaS”), where a firm will contract with a cloud provider to use their application service. Thereafter, the firm will configure its current business technology system to archive records to the cloud rather than its internal system. Alternatively, a firm a engage in an infrastructure-as-a-service (“IaaS”), which enables a firm’s records to be retained. However, the firm is responsible for maintaining and monitoring its own records. This is a complicated area of law, requiring the skill of a New York FINRA Regulatory Attorney at Malecki Law. The FINRA report noted that SaaS products are particularly prevalent in smaller brokerage firms. These firms will use off-the-shelf SaaS Cloud products for non-core business functions, such as email systems, customer relationship management, financial accounting, and human resources operations. Many brokerage firms took a slower approach, meaning they took a “measured approach” instead of jumping into the deep end because they acknowledged the need for modifications, specialized skills and training, and measuring financial impact. Moreover, firms ensured that they developed governance and cloud security policies and procedures to safeguard data, and cultural changes were associated with the migration to cloud computing because companies focused on ensuring greater responsiveness to business needs and the market.
Many financial benefits of migrating to the cloud may only be experienced in the long term. On the flip side, migrating to the cloud provides short-term effects by forcing firms to hire people with specialized knowledge and through rethinking their firm and modifying workflows, data, and applications. However, the firms claimed that one drawback of cloud computing is that cloud environments can be less secure if appropriate measures like encryption and key management are not taken. Moreover, the firms explained that it is important to allocate risk and specific responsibilities between the firm and cloud service provider to ensure each party understands its responsibilities. If your firm is interested in migrating to cloud computing, it needs FINRA Regulatory Lawyers in New York to ensure it understands the risks and responsibilities that accompany cloud computing. Reach out to Malecki Law for a free consultation to further discuss this potential change in your firm’s business model. However, a downfall to cloud computing is the risk of a firm becoming excessively dependent on a cloud provider (“lock-in risk”). An issue could arise and compromise resilience if a provider becomes unreliable. Firms noted that although a challenging task, portability and “containerization” can be an effective strategy to minimize lock-in risk.
The SEC Recently Adopted Amendments to Electronic Recordkeeping Rules
On October 12, 2022, the Securities and Exchange Commission adopted amendments to the electronic recordkeeping, prompt production of records, and third-party recordkeeping service requirements, in an effort to modernize the recordkeeping requirements. The recordkeeping requirements will amend the Securities Exchange Act of 1934 Rule 17a-4. Once the amendment goes into effect, it will allow broker-dealers to adopt any recordkeeping process, so long as the original document can be produced, if it is altered, over-written, or erased. This adoption allows broker-dealers to keep up with modern technological trends, while simultaneously protecting the authenticity and reliability of original records.
Contributions by Victoria Okraszewski, NYLS Securities Arbitration Seminar and Field Placement Extern