Cloud computing services have revolutionized business practices across industry lines. The ability to store information off-site reduces costs for service providers and makes collaboration with multiple locations easy and quick. The benefits to services like Dropbox, Google Drive and Skydrive are easy to see, but the question of regulatory compliance is a big one for those in the Financial Services industry. The SEC and FINRA enforce security guidelines with regard to how personal client information and other non-public information is stored and accessed. The only industry that might face more restrictive regulations is the health care industry. Given the need to satisfy both agencies, Financial Services organizations must look at several factors when considering a migration to the Cloud.
1. Who owns the intellectual property rights to data stored on cloud servers?
Different service providers enforce very different requirements as part of their terms of service. Both Dropbox and Skydrive specifically state that all intellectual property rights to content remain with the producer of the content. Google Drive uses very ambiguous language, making it difficult to determine who owns the content after it is uploaded to their servers. Be sure to read all terms of service agreements before choosing a service provider. Having your legal or compliance team offer a review is a good idea to ensure there is no conflict between regulations and the stated terms of service.
2. What type of security protects data stored off-site?
The SEC and FINRA require companies to take steps to secure private customer information. Digital information needs different security protocols from hard copy versions. Cloud storage companies encrypts all the files stored on their servers, to ensure data privacy. Even with that encryption, there are still potential security concerns, since storage company employees could still access the information. Even with assurances that company policy prohibits employees from accessing proprietary customer information, except at the direction of law enforcement agencies, there are no guarantees. Adding an additional layer of encryption before uploading files takes care of the potential security issue. At that point, you will still need to document processes and create usage policies documenting the security measures taken with client personally identifiable information (PII).
Additionally, the capabilities of many cloud storage providers enable users to share documents and folders with people outside of their organization. Obviously, this can pose a serious risk. As such, be sure to explore the capabilities of the cloud storage provider's administrative functions before signing on. Many providers offer a means to prevent users from sharing files and folders with people outside of their organization.
3. Is cloud storage compliant with SEC and FINRA regulations?
Implementing the proper security protocols and carefully reading the terms of service for the cloud storage provider should ultimately be the determinant of whether or not the service is fully approved by SEC and FINRA regulations. Remember that many regulated organizations already use outsourced CRM software, which often operates using cloud storage. Similarly, Dropbox, Skydrive and Google Drive are simply file sharing services based on cloud storage as well. If you have any concerns, be sure to contact your broker-dealer's legal or compliance department to discuss the proposed change to information handling. If they are involved in the process, you are able to ensure compliance at every level.
The benefits of easy, online file sharing services make it an essential part of modern businesses. Email places significant limits on the size of files transmitted, while these file sharing services offer unlimited data transfer, even with files of tremendous size. The ability to instantly access client information all around the world allows companies to use outsourcing services and coordinate between offices running on dramatically different schedules. SEC and FINRA regulations mandate careful attention to securing customer information, and these services provide an environment that offers a reasonable guarantee of security.