The recordkeeping requirements imposed on investment advisers and other market participants are extensive and the ability to quickly locate particular records is crucial to passing a regulatory exam. As these firms increasingly turn to more cost-effective and efficient cloud-based storage platforms, advisers should be aware of the SEC’s requirements for electronic storage generally and emerging best practices that are specific to cloud-based document storage and file sharing.
In addition to the list of the specific records advisers must retain, the SEC imposes the following requirements for electronic storage:
- Records must be stored in a way that individual documents can be easily located and retrieved;
- Advisers should be able to provide the staff with a “legible, true, and complete” copy of any record in the format in which it is stored within 24 hours of a request by the SEC;
- Similarly, advisers should be able to produce a printed copy of any document within 24 hours;
- The storage method must be capable of providing the SEC with a means to access, view, and print the records;
- The adviser must maintain duplicate copies of the records at a separate location; and
- The adviser must establish procedures to:
-Reasonably safeguard the records from loss, alteration, or destruction;
-Limit access to the records to authorized personnel; and
-Reasonably ensure that records are complete, true, and legible.
Rule 204-2 is technologically neutral, leaving advisers free to adopt any electronic or manual approach (or combination of the two) that meets the rule’s requirements. Similarly, there is also no formal guidance from the staff on cloud-based storage generally, nor regarding any particular service provider. However, as more advisers are looking to cloud based solutions, some best practices have emerged.
Best practices have generally centered around conducting diligence on potential service providers and how advisers should factor in their needs, infrastructure and other resources.
We recommend that firms speak with other advisers in their networks about their experience with a particular vendor, including its reliability and responsiveness. Once a firm has a short list of vendors they are interested in pursuing, it should request additional information and documents from those vendors; examples include:
- Any internal control reports (SAS-70, SSAE-16 or other);
- Business continuity/disaster recovery plan;
- Network uptime and support (i.e., whether it is 24x7x365);
- Ability to change or upgrade storage and services as the adviser’s needs change;
- Frequency and nature of the vendor’s backup procedures (e.g., current copies only, or historical versions);
- Any features that exist on the platform to prevent or recover inadvertent loss/deletions;
- Locations of any mirrored or redundant servers;
- Whether an adviser’s data has its own servers or if it is on media shared with other customers (and if the latter, what protocols are in place to separate customers’ data);
- Policies regarding responses to court orders, litigation holds and discovery requests;
- Any encryption applied to data transmission (such as syncing and downloads) and storage;
- Whether the vendor is amenable to additional diligence activities such as site visits, meetings with the specific personnel who manage the adviser’s data, discussion and review of physical security controls and the like; and
- Ability to and any limitations on terminating service and moving documents to a different vendor in the future.
Firms should also consider their particular needs, infrastructure and other resources, such as:
- Any internal limitations they impose on access to documents and how these can be implemented and maintained on the vendor’s platform;
- Methods used to sync local documents to the cloud, whether and when a manual sync would be required and the ease of triggering a manual sync;
- In the event of a delayed or failure to sync, what will/can the firm do to otherwise back up its records;
- Whether to implement any/additional requirements for complex passwords and the frequency of changing them;
- To what extent do employees work from home, while traveling, and/or via mobile devices; particularly whether these devices issued by the firm or the firm otherwise has the ability to ensure security of these access points; and
- To what extent do employees use public networks to access the firm’s cloud.
The last two points in particular raise the subject of encryption and the security of client or investor data on the cloud. Because privacy laws and compliance manuals typically require specific policies and procedures to protect client/investor data, firms should take care to ensure that their chosen vendor has sufficient methods to encrypt data and protect it from unauthorized access.
Along with social media, cloud-based data storage and sharing is changing how firms of all types do business. For investment advisers and others with enhanced regulatory obligations, it is important to carefully weigh business needs alongside applicable rules and best practices to ensure that they can take advantage of new technologies and still remain compliant.