Cybersecurity & Compliance Blog

close

Authors

Investment Adviser Association
Justin Kapahi
Marc Gilman
Vanessa Valerie Tay
Workplace by OS33
Written by Marc Gilman
on June 26, 2018

As part of its regulatory reform and modernization efforts, Securities Industry and Financial Markets Association (SIFMA) submitted a rule change petition to the SEC in November 2017 requesting refinements to the electronic recordkeeping requirements in Rule 17a-4.

Colloquially known as the “write once, read many” or "WORM” requirement, the Rule has been in place since the late 90s and remains largely unchanged. The rule imposes a variety of highly specific and seemingly outdated technical requirements on Broker-Dealers who store relevant records in the electronic format.

For years the CFTC Rule mirrored the SEC’s, but following the implementation of Dodd-Frank, the CFTC revised its electronic recordkeeping requirements, dispensing with the WORM standard in favor of a modernized, technology-neutral approach. This change provided Swap Dealers with flexibility to leverage new storage technologies, while maintaining robust security controls independent of a specific regulatory mandate.

On May 24, 2018, SIFMA submitted an addendum to its initial petition after discussions with SEC staff. Full disclosure — in my prior role, I provided input on the November filing. In light of the May addendum, we thought it would be useful to provide an overview of SIFMA’s proposal and consider the future of electronic recordkeeping.

The May addendum aims to answer three questions posed by the SEC:

  • What technical controls would replace WORM?
  • What are the challenges of storing particular content in WORM?
  • What costs are incurred by broker-dealers in implementing and maintaining WORM? 

In response to the first question, SIFMA recommended three key technical controls that could be applied to systems to replace WORM — access controls, audit logs and destruction protocols.

SIFMA pointed out that access controls can be used to limit permissions to information and restrict the ability to alter data to achieve both the “non-erasable” and “non-rewritable” goals of the existing WORM requirement. Limiting access to those systems or individuals with a valid business rationale significantly reduces risks of intentional or unintentional alteration.

Second, SIFMA suggests that audit logs offer transparency about changes to information and can be used in conjunction with backup systems to monitor and prevent alteration.  Finally, disposition protocols can be used to apply specific retention periods to information and ensure that that it cannot be deleted until it has met its regulatory or operational storage requirements. 

The second issue SIFMA addresses is the challenge of maintaining certain information, specifically information stored in dynamic databases, in WORM format. As a threshold matter, SIFMA points out that many SEC records are maintained in dynamic databases including ledgers, account information, blotters and trading information. The information stored in these databases is constantly changing and often aggregated from several different underlying sources.

SIFMA observed that firms must create “snapshots” of the records maintained in these databases that represent their status at a specific point in time. These record snapshots cannot be used to meaningfully reconstruct the database and are of limited utility in providing the complete context of the information contained therein. 

Finally, SIFMA investigated the costs of 17a-4 compliance from selection and implementation of a new WORM system to the average fees related to retaining a third-party downloader. According to the petition, SIFMA member firms spend about $6 million to implement new WORM systems, although some firms reported costs of up to $25 million.

The deployment of a new WORM archive takes roughly 20 months and requires anywhere from 10-45 employees spending 50% of their time on the project. Firms spent roughly $80,000 per year to retain the services of a third-party downloader. A key theme in the initial submission and the follow-up has been the fact that the costs and resources involved in the implementation and maintenance of WORM systems have hampered firms’ abilities to leverage new technologies.

SIFMA’s proposal to modernize the WORM requirement is compelling. Given the technology-neutral approach adopted by the CFTC as well as the conceptually archaic approach to electronic storage under the current rule, the security, cost and operational benefits of updating the rule would be significant.

In considering a world without WORM, we also wanted to take this opportunity to do a thought experiment to outline how we see the evolution of the regulated archiving space and key controls that might emerge as part of this growth process. 

Increased Reliance on Cloud Computing

Firms are increasingly relying on managed cloud computing solutions in various configurations to accomplish their business goals. Whether that be cloud-based long term storage or “fog” computing solutions that leverage local infrastructure in combination with cloud technology, the benefits of secure, flexible, commercially advantageous storage options will be embraced in larger numbers.

Firms find the benefits of uptime, failover and scalability key. In the event that Rule 17a-4 changes, firms may be able to take advantage of these secure and extendible platforms to deploy them for regulated content.

Leveraging New Technology for Security and Content Classification

Firms have acknowledged the critical value of their own and their client’s information, treating them as essential assets that must be protected. New technologies will allow for reasonably accurate classification of information based on its content.

The benefits of such technologies are twofold—they provide insights into what information is about and facilitate the application of controls related to retention and information security. For example, understanding that a system or file contains client account opening information would allow a machine to make a recommendation about the assignment of a retention period based on regulatory and operational requirements for that type of record.

In addition, a smart technology could make suggestions about information security restrictions that should applied to the content and could restrict access to it or prevent it from being improperly shared with internal or external stakeholders.

Migrating classification and control efforts away from ad hoc, subjective decision-making to machine-assisted workflows could dramatically improve the ways that regulated content is retained and protected. 

We will keep this blog updated as deliberations on the WORM petition develop and are always available to discuss these issues.

Let us know what you thought about this post.

Click here to contact us.

You may also like:

Workplace Insights

Cybersecurity Webinar: The game-changing secure browser

Financial institutions have fiduciary obligations to protect data, but face a key challenge in maintaining control over ...

Workplace Insights Cybersecurity

Part II: Why everyone needs two-factor authentication

In my previous post, I discussed how using two-factor authentication will greatly reduce the risks associated with stole...

Workplace Insights

Understanding the South Carolina Insurance Data Security Act

On May 3, 2018, South Carolina enacted the South Carolina Insurance Data Security Act — the first legislation of its kin...