Blog & Events

Cloud Backup and Disaster Recovery Financial Compliance Doesn’t Have to be Hard

May 9, 2018, 11:00 AM by Trenton Baker

regulatory compliance

Financial institutions are widely subject to regulatory compliance. The term “financial institution” doesn’t just mean banks. It casts a wide net including insurance agencies, real estate brokerages, and collection agencies; even some retailers who offer their own credit cards.

For these businesses, financial compliance is a balancing act between observing multiple (and confusing) regulations, while not eating deeply into business profits.


“89% of compliance officers plan to increase investment in compliance management, while 66% of respondents report directly to their CEO or Board of Directors”
(Accenture “Accenture’s 2017 Compliance Risk Study”)

Common Regulations for U.S. Business

  • GLBA (The Gramm-Leach-Bliley Act). GLBA includes requirements to protect consumers’ personal financial information, including secure data backup, user access control, and security.
  • SOX (Sarbanes-Oxley Act). Section 302 protects investors by regulating corporate disclosures for accuracy and reliability. The CEO and the CFO must certify financial statements, and IT must ensure record accuracy. SOX covers user access control, physical and digital security, data retention policies, and proof of file immutability.
  • FINRA (Financial Industry Regulatory Authority). FINRA members must create, test, and update business continuity and disaster recovery plans that satisfy their obligations to customers during and after an emergency.

    SEC (Securities and Exchange Commission).
    • Rules 17a-3 and 17a-4 require broker-dealers to create and preserve a comprehensive record of securities transactions and their general business. Documents need to be easily accessible and unmodified.
    • Rule 17a-4 specifically requires non-rewriteable and non-erasable formats for electronic files. The rule specifies specific retention periods.
  • NYCRR (Cybersecurity Requirements for Financial Services Companies). In 2007, the New York State Department of Financial Services (DFS) passed new cybersecurity regulations that affect all businesses subject to New York insurance, banking, and financial services laws. These regulations establish minimum regulatory standards for cybersecurity programs in the financial sector, including an annual cybersecurity compliance report.

"46% of IT professionals say their organizations have clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud. ”
(Ponemon Institute “2018 Global Cloud Data Security Study”)

Top 5 Compliance Challenges in the Financial

Few financial services firms intend to be non-compliant, but it’s a challenge to stay in compliance in the face of numerous threats like employee error, insecure laptops and mobile devices, non-compliant cloud providers, and outdated regulations.

  1. Employee error. IT can do everything right: firewalls, intrusion detection, anti-virus software, secure user access protection – and one employee can mess it all up. It only takes a second to click on a link in an email and download ransomware. Plus, employees lose laptops and mobile devices all the time, use unprotected passwords (ask the Sony executives about that security hole), and even delete entire virtual servers by accident. “Whoops” indeed.
  2. Lost laptops and tablets. Regulations state that laptops and tablets should be physically secure (i.e., under the employee’s watchful eye) and encrypted. Judging from the percentage of breaches attributed to lost devices, this isn’t happening on a broad scale. Security firm Bitglass studied data loss incidents in financial services firms from 2006-2016. “Financial Services Breach Report” found that lost mobile devices constituted nearly a quarter of data breaches in U.S. financial services firms. The growing usage of public WiFi hotspots is also a problem with unencrypted laptops that connect to unsecured networks.
  3. Insecure smartphones. Smartphones are also an issue. The small devices are all too easy for users to misplace and opportunistic thieves to steal. 3rd party applications are another challenge, especially with a BYOD policy. Whether it is Farmville or Dropbox, employees feel free to download 3rd party applications on their own devices. Nevertheless, business data that is accessible on those devices must be protected.
  4. Non-compliant cloud service providers. Another challenge is storing financial data in the cloud. The business reasons for doing so are excellent, but not every cloud provider offers sufficient security for financial services compliance. For example, in 2016 SkyHigh Networks reported that less than 10% of cloud storage providers encrypt at-rest data on cloud storage. Although more companies are aware of encryption in 2018, they cannot assume that their cloud provider encrypts protected data-in-transit and at-rest. Another concern is if the provider allows their customers to encrypt data using their own keys. Regulated businesses should also be sure their provider operates redundant data centers in widely separated regions and holds current data center certifications for physical and cyber security.
  5. Outdated regulations. This might be the trickiest challenge of the bunch. When lawmakers set out to regulate data protection practices, they deliberately did not specify technical solution details. Unfortunately, the language is so general that it makes it difficult to know what regulators want from regulated businesses. On top of that, fast-growing data volumes make it even harder to stay in compliance.

" Over 50% of respondents “do not agree their organizations have a proactive approach to managing compliance with privacy and data protection regulations in cloud environments.”
(Ponemon Institute “2018 Global Cloud Data Security Study”)

Best Practices for Managed Cloud Backup

Despite these challenges, financial services firms need to stay in compliance. For best results, work with a cloud backup provider who is expert at financial services compliance. Look for these capabilities:

  • Redundant data centers. Store backup offsite in multiple locations. Locations should be in different regions, so a city- or region-wide disaster will not threaten both facilities. Inspect the data centers for secure physical and cybersecurity. Look for the following certifications: ISO-27001 Security Certification, SSAE16 Audit Completion, and FIPS 140-2 Secure Transmission Protocols.
  • Backup verification and reporting. The fully managed service captures and monitors all backup and restore activity and proactively works with you to optimize your data protection process and regulatory compliance.
  • Extreme security. Use advanced encryption for data in-flight and at-rest. Do not store the encryption key exclusively in the cloud. Store it on-premise behind the firewall or use two-factor encryption.
  • Strong user authentication. Restrict backup access to users with admin credentials and guard those credentials carefully. Use strong passwords and change them regularly and consider requiring multiple credentials to log in.
  • WORM. Store your data on WORM-capable and highly reliable disk. You must be able to prove that stored data has not been modified or incorrectly deleted. Set compliant retention policies so you can defensibly delete end-of-life data.
  • Disaster recovery. Your partner should be familiar with financial services regulations for DR plans, including full documented server and storage recovery plans. Make sure that your provider enables you to run at least annual testing for recovery, restore, and failover services.
  • Endpoint protection. Include edge devices in your backup and recovery plan. Ideally, your backup will be searchable so that you can identify data risks. Look for a consolidated backup management dashboard for the entire backup repository.

KeepItSafe: Keep IT Compliant

Data privacy regulations and best practices are constantly at odds with effectiveness and compliance levels. Businesses can find themselves governed by financial regulations even if they do not consider themselves as a financial institution. It is this reason that organizations must pay considerable attention to the security of all data processes — to ensure they are not unintentionally running afoul of regulations.

Compliance and security experts — including us — agree that your IT team will need to conduct extensive due diligence on any person or entity that may in any way handle or have access to regulated data in your care. Taking on the responsibility for 100% data protection and adhering to compliance standards on a DIY basis can be an enormous undertaking. The burden of keeping up with financial data privacy regulations is not an efficient use of your IT resources.

The logical choice is to partner with a cloud backup and disaster recovery provider that offers purpose-built data protection strategies to help worldwide business customers securely back up their data. KeepItSafe has decades of expertise in complying with financial services regulations for personal and financial data and furthermore can be the keeps you on the right side of FINRA, the SEC, NYCRR, and other Regulators


Regulation

KeepItSafe

FINRA

Rule 4730 requires a written business continuity plan that includes backup and recovery.

  • Compliance experts
  • Delta backup for rapid restore
  • FIPS 140-2 certification
  • 24/7 live support and verified recovery
  • Business continuity consultation by certified professionals (CBCP)

SEC

Rules 17a-3 and 17a-4 require full records of each transaction. Records must be easily accessible and non-erasable.

  • Customizable retention policies
  • eDiscovery protocols
  • SSAE16 certification
  • Comprehensive coverage of all data sources
  • 24/7 corruption protection

 

GLBA

Financial firms must protect consumers' stored personal financial information.

  • 256-AES encryption in-flight and at-rest
  • Redundant Tier-IV data centers
  • Secure access controls
  • Autonomic healing
  • Password rotation

 

SOX

Section 302 requires that both the CEO and CFO certify financial statements.

  • Fully managed and monitored backups
  • Single pane of glass administration
  • Audit trails
  • Authentication requirements
  • LAN storage reporting

NYCRR

Sub-sections of the rules also cover incident reporting policies, penetration testing, vulnerability assessments, access privileges, data protection and disposal, audit trails, and more.

  • FIPS 140-2 certification
  • WORM media
  • Delete lock
  • Index search
  • Audit trails
  • 256-bit encryption
  • Letter of compliance
  • Designated third party

As we’ve learned financial compliance backup is far too important for you and your company to turn a blind eye. While the Financial Services industry has guidelines and regulations unparalleled in business, meeting the unique requirements is a key point of emphasis for KeepItSafe.

The KeepItSafe backup disaster recovery solutions can holistically address your IT resiliency and storage retention requirements. With 20+ datacenters across 3 continents, KeepItSafe already protects hundreds of major financial institutions including banks, credit unions, insurance and financial services firms. Let us help you do more with less.

Readers of this blog post are also interested in this white paper:

How to Handle Data Compliance

Get Your FREE
Market Analysis Brief!


Disaster Recovery Planning

Download a free Planning Guide

“Storage Switzerland details DR Planning from Good to Great”