Spotlight on FINRA’s latest report on cloud computing in the US securities industry

The financial services landscape is constantly evolving. Amidst the mass change and disruption wrought by the pandemic, in tandem with meteoric rise of the crypto market, regulators around the world are introducing new waves of rules and regulation to keep up with the rate of change.

In October 2021, the Financial Industry Regulatory Authority (FINRA) issued a new report on Cloud Computing in the Securities Industry, providing advice and regulatory considerations for the US securities industry. In response to this, NCC Group shared further recommendations, based on its expertize and work with businesses in the global financial industry.

What are the key takeaways from the report?

To mitigate the cybersecurity and ‘lock-in’ risks associated with outsourcing cloud services to third-party vendors, and ultimately take advantage of advancements in cloud computing, FINRA encourages its member firms to:

1. Re-evaluate their approach to security, including reviewing cloud misconfigurations and poor access controls
2. Update data-related policies and procedures if a firm’s cloud adoption leads to changes in how it collects, stores, analyzes and shares sensitive customer data
3. Create, maintain, and annually review a written business continuity plan, in line with the FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information)
4. Consider the risk posed by cloud vendors and service providers
5. Ensure that any data and information stored in the cloud is compliant with Exchange Act Rule 17a -4, and are preserved in a non-rewriteable and non-erasable format.

How else can organizations take advantage of cloud computing?

The adoption of cloud, software and technology escrow solutions, using ‘Resilience by Design’ principles, can help organizations to meet the financial system’s increasing demand for risk management, business continuity and ongoing operational resilience. By focusing on resilience from the start, organizations will be well placed to meet evolving rules and regulation.

To identify supplier risk exhaustively, organizations face increasing costs, barriers to innovation, and potentially reduced access to financial services. For this reason, cloud, software and technology escrow solutions offer legal, technical and proportional assurance to organizations.

Under this approach, cloud supplier failure would be assumed by default, regardless of a third-party’s risk profile. Cloud, software and technology escrow agreements, together with ‘dry-run’ verification services, will help to mitigate against supplier failure and offers a minimum level of resilience that ensures continuity of services while alternative options are being implemented.

Firms should also perform a comprehensive assessment of threats, vulnerabilities, impact and likelihood of cybersecurity incident on at least an annual basis to maintain a current view of overall technology risk, including cloud solutions. While the standard disciplines for assessing, managing and mitigating risk related to services provided using cloud resources are the same as for traditional IT deployment models, the risks are not, and each organization should prioritize understanding their new unique risk profile.