1 This paper is not intended to express any legal position and does not create any new requirements or suggest any change in any existing regulatory obligations, nor does it provide relief from any regulatory obligations. While this paper summarizes key findings from FINRA’s outreach and research on the use of cloud computing in the securities industry, it does not endorse or validate the use or effectiveness of any of these applications. Further, while the paper highlights certain regulatory and implementation areas that broker-dealers may wish to consider as they adopt a cloud environment, the paper does not cover all applicable regulatory requirements or considerations. FINRA encourages firms to conduct a comprehensive review of all applicable securities laws, rules, and regulations to determine
potential implications of implementing cloud-based applications.
2 Press Release, Gartner Forecasts Worldwide Public Cloud Revenue to Grow 6.3% in 2020, Gartner (Jul. 23, 2020). https://www. gartner.com/en/newsroom/press-releases/2020-07-23-gartner- forecasts-worldwide-public-cloud-revenue-to-grow-6point3- percent-in-2020.
3 Press Release, Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019, Gartner (Apr. 2, 2019). https://www. gartner.com/en/newsroom/press-releases/2019-04-02-gartner- forecasts-worldwide-public-cloud-revenue-to-g.
4 Duncan Stewart, Patrick Jehu, Nobuo Okubo and Michael Liu, The Cloud Migration Forecast: Cloud with a Chance of Clouds, Deloitte Insights (Dec. 2020). https://www2.deloitte.com/xe/en/ insights/industry/technology/technology-media-and-telecom- predictions/2021/cloud-migration-trends-and-forecast.html
5 See Request for Comments section on 15 of this paper.
6 Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, 2, NIST Special Publication 800-145 (Sep. 2011). https://doi.org/10.6028/NIST.SP.800-145
7 Blesson Varghese, History of the Cloud, The Chartered Institute for IT (Mar 19, 2019). https://www.bcs.org/content-hub/history-of- the-cloud/
8 DARPA, ARPANET, https://www.darpa.mil/attachments/ARPANET_ final.pdf.
9 IBM Cloud Team, A Brief History of Cloud Computing, IBM (Jan. 6, 2017).
10 Antonio Regalado, Who Coined Cloud Computing? MIT Technology Review (Oct. 31, 2011) https://www.
network%2Dbased,term%20to%20an%20industry%20conference. In 2006, Amazon launched Amazon Web Services and its Elastic Compute (EC2) services, which allowed users to run their own computers and applications over the cloud. Press Release, Announcing Amazon Elastic Compute Cloud (Amazon EC2) – beta, AWS (Aug. 24, 2006).
11 Gartner (2020).
12 Mell and Grance (2011) lay out different cloud deployment models; see also cloud overviews by vendors and service providers, for instance: Accenture, Cloud Computing, https://www. accenture.com/us-en/insights/cloud-computing-index; see also Grace Lewis, Basics About Cloud Computing, Carnegie Mellon Software Engineering Institute (Sep. 2010). https://resources.sei. cmu.edu/asset_files/WhitePaper/2010_019_001_28877.pdf.
13 James Hamilton, Cloud Computing Economies of Scale, Mix’10 Conference (Dec. 8, 2009). https://channel9.msdn.com/Events/ MIX/MIX10/EX01.
14 Paul Diamond, Cloud storage vs. on-premises servers: 9 things to keep in mind, Microsoft Corporation (Sep. 25, 2020)
15 IBM Cloud Education, Virtual Private Cloud (VPC), IBM (Nov. 2019). https://www.ibm.com/cloud/learn/vpc.
16 Mell and Grance (2011) lay out main service models as do Accenture, Cloud Computing and Lewis, Basics of Cloud Computing.
17 Some of the major providers of IaaS include AWS, Azure, Google Compute Engine and Cisco Metapod.
18 PaaS service providers include AWS Elastic Beanstalk, OpenShift, Google App Engine.
19 Such applications include Google Docs, Office 365, Zoom and Symphony.
20 IBM Cloud Education, FaaS (Function-as-a-Service), IBM (July 2019). https://www.ibm.com/cloud/learn/faas#:~:text=FaaS%20 (Function%2Das%2Da%2DService)%20is%20a,building%20 and%20launching%20microservices%20applications.
21 Containerization is a way to encapsulate packages of software code so that the software can run as a portable unit across different cloud platforms.
22 The diagram depicts a standard cloud pyramid, as depicted, for example, in: Deloitte, Change the Way You Change: How Can Banks Stay Ahead of the Curve? (Aug. 2019), p. 29.
23 However, many of these firms had already experienced some adoption of cloud-based SaaS services for non-core functions like email or human resources, but there was less of a touchpoint with the cloud in terms of business workflows, applications or management of data related to their core brokerage business.
24 Other examples include Office 365, Zoom, Teams, Slack.
25 An agile workflow approach is a modern approach to project management that fosters shorter development cycles (sometimes called “sprints”) while incorporating feedback at the end of each cycle to enable modifications and improvements before moving to the next cycle. Some firms similarly referred to improved “DevOps” for facilitating shorter application lifecycles.
26 National Security Agency, Mitigating Cloud Vulnerabilities (Jan. 20, 2020). https://media.defense.gov/2020/Jan/22/2002237484/- 1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF
27 FINRA Information Notice, Cybersecurity Background: Authentication Methods (October 15, 2020), https://www.finra. org/rules-guidance/notices/information-notice-101520.
28 Phishing is the fraudulent effort to obtain sensitive personal information, such as usernames or passwords or credit
card details by posing as a trustworthy entity in a digital communication.
29 Penetration tests, or “ethical hacking,” entail the hiring of a third- party firm to conduct an authorized cyberattack on a firm’s IT system to identify exploitable vulnerabilities. The utility of such tests also extends beyond the initial rollout and is often employed on a regular basis.
30 Some firms also noted that vendor lock-in risk is not unique to cloud and may exist for on-premise systems as well.
31 Supra note 1. While the paper highlights certain regulatory and implementation areas that broker-dealers may wish to consider as they adopt a cloud environment, the paper does not cover all applicable regulatory requirements or considerations. FINRA encourages firms to conduct a comprehensive review of all applicable securities laws, rules, and regulations to determine
potential implications of implementing cloud-based applications.
32 National Security Agency, Mitigating Cloud Vulnerabilities.
33 See e.g., NASD/FINRA’s Notice to Members 05-48: Members’ Responsibilities When Outsourcing to Third Party Providers.
35 See, e.g., FINRA Rule 4511 (General Requirements) and Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 (Exchange Act). See also FINRA, Key Topics, Books and Records, https://www. finra.org/rules-guidance/key-topics/books-records.
36 See Exchange Act Rule 17a-4(f); see also SEC Interpretation: Electronic Storage of Broker-Dealer Records, Release No. 34-47806, available at https://www.sec.gov/rules/interp/34-47806.htm.
37 Parties should submit in their comments only personally identifiable information, such as phone numbers and addresses, that they wish to make available publicly. FINRA, however, reserves the right to redact or edit personally identifiable information from comment submissions. FINRA also reserves the right to redact, remove or decline to post comments that are inappropriate for publication, such as vulgar, abusive or potentially fraudulent comment letters.