Section III: Regulatory Considerations for Cloud Computing
There are several regulatory implications that firms may wish to consider when establishing a presence in the cloud. It is important to keep in mind that although a firm may shift its technology infrastructure to a cloud environment, all of the regulatory requirements that are applicable in an on-prem environment continue to apply. However, cloud-based applications may contain some unique features that securities market participants may wish to consider as they explore and adopt related technology tools. Specifically, where applicable, factors for market participants to consider when seeking to adopt a cloud environment include cybersecurity, data governance, outsourcing/ vendor management, business continuity, and recordkeeping. This section provides a brief discussion of each of these factors and highlights certain related regulatory considerations.31
While this section highlights certain key thematic areas, it is not meant to be an exhaustive list of all factors or regulatory considerations associated with adopting cloud-based applications. Broker- dealers should conduct their own assessments of the implications of cloud computing, based on their business models and related use cases.
- Cybersecurity: Cloud technology is complex, and firms should consider any potential differences in cybersecurity management between cloud services and on-premise systems. Many best practices from an on-premise environment would still apply, though some may differ. For instance, insider risks may extend to the cloud service provider. Also, as mentioned previously, one important feature of cloud computing is the sharing of cloud security related tasks between the firm and cloud service provider. As laid out in Figure 2 (above), a firm may undertake to perform more or less of certain cloud security-related tasks depending on the type of cloud deployment. When considering the division of cloud security-related tasks between itself and the cloud service provider, a firm may benefit from working to ensure cybersecurity is incorporated as a critical component of the evaluation, development, and testing process of any cloud-based application. The division of tasks should also be reflected in the contractual agreement between the firm and cloud services provider. For additional resources on this topic, including applicable rules, guidance, and FINRA’s report on Cybersecurity Practices, refer to FINRA’s webpage on cybersecurity.
A cloud vulnerability report by the National Security Agency32 also noted the following three functions where it is important to identify the party that will be performing the cloud security related task: (i) threat detection (ii) incident response (iii) patching/updating. Typically with respect to each of these functions, the cloud service provider will undertake tasks for securing its own cloud resources, but the firm would still need to perform tasks for monitoring threats, responding to incidents and patching any vulnerabilities for the cloud resources they manage. The cloud service provider may have tools or services to help a firm perform these tasks, but it is important for firms to clearly understand the division of responsibilities to limit any potential gaps.
The NSA paper also cites two vulnerabilities related to cloud computing that may be beneficial for firms to monitor.
- Misconfigurations: Cloud misconfigurations have to do with improperly setting up a cloud- based system, which create vulnerabilities that can lead to data breaches. Misconfigurations are common, since they can occur in many different areas and be caused by various people with access rights. They can also go unnoticed, which creates a potentially large opening for attackers to exploit a firm’s cloud resources. Common misconfigurations vary but may include: publicly exposed cloud data and resources, unrestricted access to outbound/ inbound traffic, or data encryption not being applied. Misconfigurations can result from anything from low awareness of security responsibilities to lack of proper controls and oversight to simple insider negligence and speak to the need for well-designed policies, layers of security controls and mechanisms for monitoring potential breaches.
- Poor access controls: Poor access controls have to do with weak authentication methods that enable unauthorized entities to infiltrate cloud resources. Vulnerabilities may also exist such that authentication methods can be bypassed. Vulnerabilities may occur at a point of access to the cloud within the firm or at a client endpoint, namely a client’s cloud-based account. FINRA issued a Cybersecurity Alert in October, 2019, warning about cloud-based email account takeovers (ATOs), in which perpetrators use various techniques to acquire client log- on credentials and from there acquire sensitive information, initiate a fraudulent transfer of funds or expand the attack footprint. ATOs can also occur with firm staff accounts that have administrative privileges, which provides a platform for a much larger attack. Such attacks could be prevented with stronger authentication techniques, namely 2FA, better retention of activity logs and more effective management of and controls over administrative accounts.
- Misconfigurations: Cloud misconfigurations have to do with improperly setting up a cloud- based system, which create vulnerabilities that can lead to data breaches. Misconfigurations are common, since they can occur in many different areas and be caused by various people with access rights. They can also go unnoticed, which creates a potentially large opening for attackers to exploit a firm’s cloud resources. Common misconfigurations vary but may include: publicly exposed cloud data and resources, unrestricted access to outbound/ inbound traffic, or data encryption not being applied. Misconfigurations can result from anything from low awareness of security responsibilities to lack of proper controls and oversight to simple insider negligence and speak to the need for well-designed policies, layers of security controls and mechanisms for monitoring potential breaches.
- Data Privacy: Related to the previous points on cybersecurity, firms are also subject to requirements to safeguard customer records and information. Such requirements are laid out in SEC Regulation S-P, and a reminder of Reg S-P’s requirements are also spelled out in FINRA’s Notice to Members 05-49. Regulation S-P requires firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information that are reasonably designed to: (i) ensure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Despite the firm’s outsourcing of certain IT tasks to cloud service providers, the firm is ultimately responsible for compliance with the requirements of Regulation S-P.
Moreover, if a firm’s cloud adoption leads to changes in how it collects, stores, analyzes, and shares sensitive customer data, firms may need to update their policies and procedures related to customer data privacy to reflect such changes. Relatedly, firms may wish to consider whether appropriate consent from customers, as needed, has been obtained with respect to the collection of any new information that may be desired to facilitate or enhance the benefits associated with cloud adoption. In addition, firms may wish to consider whether appropriate policies and procedures exist with respect to sharing such data with cloud service providers or other vendors, including how and what level of access is provided to vendors; any parameters for storing the data; any restrictions on vendors sharing data with other third parties; and any restrictions on aggregating customer information with data from other vendor clients.
- Outsourcing/Vendor Management: To the extent that a cloud service provider or other cloud vendor is selected to perform certain tasks on behalf of the firm, firms should be mindful of applicable guidance on outsourcing.33 Firms are reminded that outsourcing an activity or function to a cloud service provider or other cloud vendor does not relieve them of their ultimate responsibility for compliance with all applicable securities laws and regulations and FINRA rules associated with the outsourced activity or function.
The FINRA outsourcing guidance also notes in pertinent part: “After the member has selected a third-party service provider, the member has a continuing responsibility to oversee, supervise, and monitor the service provider’s performance of covered activities. This requires the member to have in place specific policies and procedures that will monitor the service providers’ compliance with the terms of any agreements and assess the service provider’s continued fitness and ability to perform the covered activities being outsourced.”34 Therefore, firms are encouraged to conduct appropriate due diligence and testing of cloud service providers and vendors to help ensure that the vendors can conduct the activities being outsourced in a way that complies with FINRA and other relevant rules.
Firms may also consider the risks associated with vendor lock-in and the potential that cloud service providers might be unable to reliably provide services. Currently, platforms and technologies may not readily enable migration between cloud vendors should an existing cloud solution fail to meet the firm’s requirements. Firms may wish to consider whether multi-cloud or hybrid cloud options are compatible with their business needs. Alternatively, they may wish to consider adoption of an exit strategy to mitigate against an unfavorable lock-in scenario. As mentioned before, certain services and technologies (e.g., containerization, open source software) are making it easier to use different cloud service providers or switch between them.
Finally, firms also may want to consider whether a cloud vendor has undergone rigorous operational and financial audits (e.g., SOC 1 and SOC 2) or has had third-party assessments or certifications to help demonstrate its ability to provide vital functions on an ongoing basis. Firms may also consider industry recommended security best practices for working with a specific cloud service provider.
- Business Continuity: FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires firms to create, maintain, annually review and update written business continuity plans relating to an emergency or significant business disruption. Such plans must be reasonably designed to enable the firm to meet its existing obligations to customers and address the firm’s existing relationships with other broker-dealers and counterparties. As mentioned before, the cloud offers the potential for greater business resiliency due to redundant storage and computing capacity across cloud service provider’s data centers. Cloud providers typically host multiple data centers in different locations, and firms should consider the extent to which cloud service strategies may support their business continuity and disaster recovery plans and obligations. Firms should also be aware that latency issues may exist that impact real-time back-up of information or availability of services in case of a failover to the secondary location. Accordingly, firms may wish to consider testing the redundant configuration to ensure business services can continue in the face of a disruption, and update test plan and procedures accordingly. Firms may also wish to consider whether cloud services may support greater resiliency for their systems. For example, important applications can run in a live production mode across multiple cloud datacenters with highly available databases. In this scenario, if one of the cloud provider’s data centers fail for any reason, the remaining data center continues to service the production load with no impact to customers.
- Recordkeeping: Broker-dealers are increasingly looking to utilize cloud storage for data and information maintained by the firm. FINRA and SEC rules require firms to preserve specified records for certain periods.35 In addition, these rules require that such records be preserved during the retention period in a format and media that complies with Exchange Act Rule 17a- 4, including, among other requirements, a requirement that records preserved on electronic storage media be stored exclusively in a non-rewriteable and non-erasable format.36 Certain cloud providers have indicated that they provide products or services designed to be compliant with FINRA and SEC recordkeeping requirements. Firms should be aware of their recordkeeping obligations and assess any such recordkeeping products or services offered by their cloud providers.