Skip to content
Royalty-free stock illustration ID: 1034571742.
Royalty-free stock illustration ID: 1034571742.

News -

Spotlight on FINRA’s latest report on cloud computing in the US securities industry

The financial services landscape is constantly evolving. Amidst the mass change and disruption wrought by the pandemic, in tandem with meteoric rise of the crypto market, regulators around the world are introducing new waves of rules and regulation to keep up with the rate of change.

In October 2021, the Financial Industry Regulatory Authority (FINRA) issued a new report on Cloud Computing in the Securities Industry, providing advice and regulatory considerations for the US securities industry. In response to this, NCC Group shared further recommendations, based on its expertize and work with businesses in the global financial industry.

What are the key takeaways from the report?

To mitigate the cybersecurity and ‘lock-in’ risks associated with outsourcing cloud services to third-party vendors, and ultimately take advantage of advancements in cloud computing, FINRA encourages its member firms to:

  1. Re-evaluate their approach to security, including reviewing cloud misconfigurations and poor access controls
  2. Update data-related policies and procedures if a firm’s cloud adoption leads to changes in how it collects, stores, analyzes and shares sensitive customer data
  3. Create, maintain, and annually review a written business continuity plan, in line with the FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information)
  4. Consider the risk posed by cloud vendors and service providers
  5. Ensure that any data and information stored in the cloud is compliant with Exchange Act Rule 17a -4, and are preserved in a non-rewriteable and non-erasable format.

How else can organizations take advantage of cloud computing?

The adoption of cloud, software and technology escrow solutions, using ‘Resilience by Design’ principles, can help organizations to meet the financial system’s increasing demand for risk management, business continuity and ongoing operational resilience. By focusing on resilience from the start, organizations will be well placed to meet evolving rules and regulation.

To identify supplier risk exhaustively, organizations face increasing costs, barriers to innovation, and potentially reduced access to financial services. For this reason, cloud, software and technology escrow solutions offer legal, technical and proportional assurance to organizations.

Under this approach, cloud supplier failure would be assumed by default, regardless of a third-party’s risk profile. Cloud, software and technology escrow agreements, together with ‘dry-run’ verification services, will help to mitigate against supplier failure and offers a minimum level of resilience that ensures continuity of services while alternative options are being implemented.

Firms should also perform a comprehensive assessment of threats, vulnerabilities, impact and likelihood of cybersecurity incident on at least an annual basis to maintain a current view of overall technology risk, including cloud solutions. While the standard disciplines for assessing, managing and mitigating risk related to services provided using cloud resources are the same as for traditional IT deployment models, the risks are not, and each organization should prioritize understanding their new unique risk profile.



Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400
Regional Press Office - Europe

Regional Press Office - Europe

Press contact +31 20 794 4737

Related content

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom