Does Cloud Storage Meet SEC And FINRA Security Guidelines?
Several months ago I shared an Infographic with you. The Infographic provided some comparisons between Google Drive, Dropbox, Skydrive and iCloud. I want to follow that up with a more in-depth look at whether these cloud storage solutions may be used by Financial Services Providers. The question is whether these cloud storage options meet SEC and FINRA security guidelines.
It seems everything is moving to the cloud. It won't be long before the standard office computer has no hard drive, no installed software, and only a connection to the Internet. It's happening in offices now. But what are professional services providers like Lawyers, CPAs, Doctors and Financial Services Providers going to do about storing the sensitive, personal information they maintain? All of these service providers have rules or regulations guiding what they do. Financial Services Providers are guided by the SEC and FINRA.
The benefits of cloud storage are many, including:
- Reduced costs;
- The ability to share data and collaborate with multiple locations; and
- The ability to provide clients easy access to real-time data with a couple clicks of the mouse.
But the question of regulatory compliance is a big one for the Financial Services Industry. And, there seems to be more questions than answers right now.
The SEC and FINRA enforce security guidelines for the Financial Services Industry. They seek to protect personal information of clients and dictate how this information is to be stored and accessed by providers and the clients themselves.
The Securities and Exchange Act of 1934 (as amended) contains Rules 17a-3 and 17a-4 that relate to the backup and archiving of electronic records. FINRA adopted the SEA Rules and also has rules about Third-Party Providers that basically say a Financial Services Provider can't relieve him or herself of compliance obligations and push them off on a Third-Party Provider. So, what's a Financial Services Provider to do? Here are some things to consider.
Is the cloud storage system you've chosen secure? Are you in compliance with SEC Regulation S-P, Privacy of Consumer Financial Information?
- Do you have written policies and procedures in place governing the steps you take in order to protect client information?
- Can you insure the security and confidentiality of customer records and information?
- Do you protect against any anticipated threats or hazards to the security or integrity of customer records and information?
- Can you protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer?
- Though I think it's overkill, have you considered encrypting the documents before storing them in the cloud?
Intellectual Property Rights
Who owns the intellectual property rights of the data a Financial Services Provider intends to store in the cloud? I suggest you read the fine print. The "Terms of Service" for the different cloud storage providers vary quite a bit. You need to read the "Terms of Service." You may own your data, but the cloud storage provider has possession and may even have legal rights to use it for its benefit. It may even lack export options for you to get it back. Typically they even lack the obligation to permanently erase your data when you terminate your account with them.
I suggest these best practices when doing your due diligence for a cloud storage provider.
- If you are governed by FINRA consult with your broker-dealer's compliance department before using any cloud storage service.
- Obtain approval from your compliance department before you upload any client information to a cloud storage service
- Document your policies and procedures. List the steps you take to protect client data stored in the cloud
Are you currently storing client data in the cloud? If so, I'd like to hear from you. Leave a comment below and share your best practices. Tell me who you are using and why. Did you get approval from your compliance department in advance? Please leave a comment.
Brad Friedman is a “Recovering Attorney” living in Denver, Colorado. In 2010, Mr. Friedman who authors three blogs of his own, parlayed his passion for technology and his business, legal and marketing savvy into the creation of The Friedman Group, LLC. Brad has put together a group of highly skilled people to work with attorneys, CPAs, financial services providers, small businesses and ...