With respect to broker-dealers ("BDs") and investment advisers, the Securities and Exchange Commission ("SEC") has not defined "third-party cloud service providers" with any specificity in rulemaking. Rather, third-party providers have been part of the electronic storage media paradigm since the 1997 amendments to SEC Rule 17a-4.
While there are no SEC regulations specific to services provided by cloud vendors, the scope of the SEC's approach to the use of third parties for record-keeping and storage has remained broad over the years. SEC guidance in the form of risk alerts and Financial Industry Regulatory Authority ("FINRA") reports for BDs will likely be the way that these regulators continue to set expectations regarding cloud outsourcing.
In addition, the use of a cloud service vendor for data storage by any BD entities would be considered outsourcing under FINRA guidance. Accordingly, a BD must conduct appropriate due diligence prior to the implementation of such a vendor's services and procedures for ongoing supervision, which may involve: (i) using programmatic checks through business operations; (ii) including the procedures in the contracts with the vendors; (iii) requiring status reports and periodic meetings; and (iv) testing and reviewing the vendor's procedures.
Moreover, in 2015, the FINRA undertook a comprehensive review of member firms and published a study that set forth a set of principles and best practices regarding BD approaches to cybersecurity. Notably, the FINRA specifically addressed firms' use of cloud service providers and, in particular, stressed the importance of Identity and Access Management to establish appropriate controls to limit users' access to a firm's systems and data. While the report does not impose new rules on FINRA firms, it makes clear the expectations that regulators have regarding supervision and controls with respect to vendor management.
For Commodity Futures Trading Commission ("CFTC") entities, similarly, the CFTC and the National Futures Association ("NFA") do not define "third-party cloud service providers" within their rulemaking. They have not adopted specific outsourcing rules similar to those found in other jurisdictions. However, both the CFTC and NFA considered cloud computing while revising their record-keeping and supervision rules in recent years. Both the CFTC and NFA rules are expressly intended to be technology-neutral and therefore do not address specific types of cloud storage medium vendors.