In its 2015 cybersecurity report, the extent of FINRA guidance was in the form of outlining some of the risks and rewards of cloud storage, and listing some key security considerations and questions that should be used by firms when considering cloud-based services. FINRA also reminded its members that cloud storage providers are subject to the same due diligence standards and processes as other third-party vendors, and that information security should be of the utmost importance. FINRA’s suggested areas of focus for firms that are considering the move to the cloud are as follows:
- Shared access of systems, since many firms may be using the same systems and computing resources
- Authentication and access control to the data
- How does a cloud vendor control access to the systems and data? What processes are followed and approvals required to gain access?
- Many of these systems operate over the Internet. What controls does the vendor have in place to prevent hacking of these systems?
- What types of secure coding practices does the vendor enforce?
- What testing is conducted on an ongoing basis to identify potential issues within the security practices?
- What system development life cycle process does the vendor follow to implement system updates? Does the vendor perform adequate testing? Are system users involved?
- Who has physical access to the vendor’s data center?
There are other key risks for any cloud system — including system availability and data ownership — that vendor management teams should address before implementation.
Case Study: FINRA Moves to Cloud Storage
Interestingly, a 2014 article in The Wall Street Journal may offer the biggest clue about FINRA’s stance concerning cloud storage. The article reported that FINRA itself began to move to cloud computing at the beginning of 2014 in a rollout that is expected to take 30 months and save the organization $10-$20 million annually, while making the regulator more efficient. Steven Randich, FINRA’s chief information officer, said in an interview that by moving to the cloud, FINRA will gain increased processing capacity and more space to store data, while reducing costs because the service is only used when needed. FINRA processes 25 billion “market events” a day and almost six billion shares. Randich went on to say that FINRA “could have redesigned our system to scale across a lot of big machines, but economically that’s not really on the table for us. By moving to the cloud we get dramatic processing and storage scale at commodity prices.” The article continued to say that FINRA data queries are now measurably faster, with “dramatic” results and what used to take hours now takes just minutes. FINRA hopes that the new technology will allow it to run surveillance patterns more quickly and to do more data analysis, both of which are good for clients and bad for reps who don’t follow the rules.