Trend Setting in Cloud Computing Legal Contracts….Who Knew?

By Joanna Fields

Over the past two years, US firms have experienced a significant increase in the number of mandatory regulatory reports, including the future Consolidated Audit Trail (CAT), Markets in Financial Instruments Directive (MiFID II) requirements applicable to firms doing business in Europe, new reporting requirements for swaps, the SEC’s Trade Reporting and Compliance Engine (TRACE), and the Treasury Department’s Regulation Systems Compliance and Integrity (Reg SCI).  Each of these reporting requirements could require some financial firms to process approximately a terabyte of metadata every day.  This has resulted in financial firms’ renewed interest in leveraging cloud technology.

Although it may seem like a recent technology trend in conversation, early network references to cloud computing date back to the 1960s.   The cloud computing discussed today has been derived by various technology marketing campaigns to make the language of engineers colloquial.  The cloud is an easy to adopt metaphor that has a myriad of meanings; for example, firms that allow employees to Bring Your Own Devices (BYOD) or issue laptops for remote access, are technically using cloud computing.

That said there has been an increased focus on cloud usage as legislative and regulatory bodies begin to review cybersecurity implications, most recently in light of significant hacks into systems at Equifax and the SEC.  Financial firms will have to balance their prescribed and very siloed regulatory reporting and processing requirements imposed by the SEC, FINRA, Federal Reserve, and CFTC with their cybersecurity obligations imposed by the same and additional Federal, State and other domestic and foreign regulatory agencies.  There are some simple yet important contractual protective measures that can significantly and positively impact financial firms’ ability to securely use cloud-computing technology.

When reviewing a firm’s service level agreement (“SLA”) it is important to consider global privacy considerations. Russia, Europe, Canada, and Korea all have very strict privacy restrictions already in place. Each firm should independently take the time to analyze, in conjunction with counsel, their client base, trade activity, cybersecurity insurance coverage, and contractual obligations with respect to reporting client Personally Identifiable Information (PII) data to the all regulatory reporting facilities.  This should include a proactive historical look back as Reg SCI reports, Large Trader ID, and Reg ATS-R reports are all currently stored in the SEC’s EDGAR database.   In addition, it is important for firms to develop tailored controls, metrics and monitoring tools that identify reportable activity for these jurisdictions.

Attorneys should understand that recent regulatory changes, such as CAT, MiFID II, GDPR, Anti Money Laundering customer due diligence, among others, cannot be considered in a vacuum. Emphasis on cybersecurity controls and vendor requirements should be at the forefront of consideration while developing a holistic approach. It is true that pending global regulatory reporting requirements combined with lessons from the recent Equifax breach has encouraged firms to begin to identify the importance of addressing complex cybersecurity requirements for protecting PII data. Moreover, the increased use and reliance on technology is forcing firms to consider the complex global cybersecurity regulatory trends in a proactive rather than reactive manner.

The following checklist offers important considerations and questions for cybersecurity trends and cloud computing. 

 Contract Review and Vendor Information Security Policies & Procedures Review

  • Service Level Agreements and Subscription Agreements
    • Where is the data hosted?
    • What is the current security environment?
    • What is the process for change notification
    • Who can access data?
    • How to prevent data leaks or loss?
    • How to control and recover leaked or lost data
    • Who has security update notifications/responsibility
    • Who owns data?
  • Disaster Recovery/Business Continuity Plan Review
    • Is there a planned destruction or data removal process?
    • Are monitoring/detection capabilities in place?
    • Develop a security/onboarding process for internal and outsourced staffing
  • Notification Requirements: Do you get notifications for the following situations?
    • Change management
    • System upgrade
    • Supervisor alerts of all Users that access data
    • Breach
    • Leaked data
    • Lost data
    • Security vulnerability notification/communication
  • Encryption of Data
    • Are Multi-Factor and risk based authentication techniques in place?
    • Is data encrypted in flight during data migration process?
    • Is data at rest on servers encrypted?
    • Are archival data storage methods; including disaster recovery and back up data transfers encrypted at rest and in flight?
    • Asymmetric key encryption between Data submitters and the Central Repository is desirable
    • Some storage facilities will allow firms to manage their own encryption keys, while other providers may require the ability to access and decrypt the data. This should be clearly specified in any vendor contract.
    • Does the vendor allow limited access credentials to specified devices? Suggest limiting remote access for employees’ access PII data.
    • Are automatic logoff timers in place?
    • Do not provide encryption keys to storage providers. Split key encryption and homomorphic key management can allow companies to migrate their applications and data to the cloud and retain total control of their encryption keys and their data. Regulation mandates that keys are never stored alongside data in the cloud or with cloud providers.
    • Do supervisors review system activity, logs, and logins to be informed on who is accessing data, where they are accessing data from, and at what times?
    • Physical safeguards such as facility access controls, and user access are just as critical
  • Host Location – Vendors
    • Must provide notification of any plans to change hosting location.
  • Audit/Certifications (Dynamic & Static Security Analysis) / Recommended to assess and certify your cybersecurity system & process
    • Annual AICPA SOC2 Certification by an independent 3rd party
    • Annual Pen Test by an independent 3rd party
    • Annual application/vendor code audit by an independent 3rd party

Source: Aplomb Strategies 

Joanna Fields is CEO & Founding Principal of Aplomb Strategies, implements equity & derivative regulatory, clearing and market structure change focusing on holistic governance.

Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.