FINRA, SOX, FIPS — Compliance and Data Protection for the US Financial Industry
IT managers often mistakenly assume that FINRA-compliant use of cloud storage is not possible. But in addition to specially certified providers, (cloud-) encryption solutions can ensure FINRA compliance. Learn the details in this article.
Table of Contents
- What is FINRA?
- FINRA Rule 3010 — The Supervisory System.
- FINRA Rule 4511 — Duration of Data Retention.
- FINRA Rules for Storing Data in the Cloud.
- FINRA Rules for Encrypting Data
- What is SOX?
- SOX and the Cloud Storage
- SOX and Encryption
- What is FIPS 140-2?
- The 4-Level Program of FIPS
- To Which Companies does FIPS Apply/Which Companies can be Certified by FIPS?
- Is Boxcryptor FIPS Compliant?
- Conclusion: There Is No Way Around Strong Encryption
What is FINRA?
FINRA is the abbreviation for the Financial Regulatory Authority. It is an independent licensing authority that has its responsibilities delegated by the Security and Exchange Commission (SEC), the U.S. stock exchange regulator. FINRA’s responsibilities include the supervision of individuals and firms that trade securities on U.S. exchanges. All firms not already regulated by another self-regulatory organization must become FINRA members.
FINRA Rule 3010 — The Supervisory System.
FINRA today created a comprehensive set of rules that member firms must adhere to. Let’s take FINRA Compliance Rule 3010 as an example to show how fine-grained the rules are.
Compliance with securities laws and regulations is the responsibility of each FINRA member firm. To ensure enforcement of these regulations, FINRA provides a system to monitor compliance. For this purpose, a multi-tiered supervisory system has been devised whereby each employee is subject to the supervisory responsibilities of specific, responsible individuals.
In doing so, they must meet the following requirements:
Establishing and maintaining written procedures.
Designation of at least one responsible person who has supervisory responsibility over all broker-dealer activities of the member firm.
Designating and registering all locations and branches that fall under the requirements of Rule 3010.
The designation of at least one responsible person per branch office covered by the requirements of Rule 3010.
Each associate must be assigned a registered agent. This representative is responsible for overseeing the activities of that associate.
Verification must be made that all supervisors are suitable for their assigned responsibilities based on their experience or training.
Each relationship manager must participate in a meeting at least once a year to discuss compliance matters.
FINRA Rule 4511 — Duration of Data Retention.
Another important law under FINRA’s oversight is Rule 4511.
Rule 4511 is primarily concerned with the length of record retention requirements. Documents that fall into a category where this is not specified must be retained for at least six years, according to FINRA. The same period applies when accounts are involved. The retention requirement expires six years after the mandated account closure. In all other cases, accounting documents and all records must be archived for six years from the date of creation. Throughout the length of the retention period, safeguards must be in place to prevent alteration or deletion of the data.
In 2011, the U.S. Securities and Exchange Commission approved FINRA’s adoption of the SEC’s electronic storage rules. Since then, storage of accounting records in cloud storage has also been possible for FINRA member firms. It is mandatory to ensure that the processing of this data is not possible during this retention period.
FINRA Rules for Storing Data in the Cloud.
Cloud storage is a practical application that takes a lot of work away from firms, especially in the area of physical data security. Another invaluable advantage is the permanent availability of files on all devices and at any time. Thus, the cloud can simplify collaboration between different employees in many ways. However, outsourcing files to cloud storage introduces new cybersecurity risks for companies.
FINRA offers two considerations in this regard:
Controls: FINRA has concerns that individual departments may bypass key control points that are important to cybersecurity by using cloud computing. In addition, some firms find it difficult to establish their own control systems with which cybersecurity can be ensured.
Security: FINRA also sees good reasons for using cloud storage. The licensing authority points out that large cloud providers can invest more money and more expertise in data security. The enormously high level of fire protection, backups, and access controls offered by large providers is almost impossible for a single company to provide.
FINRA Rules for Encrypting Data
There is no FINRA rule mandating encryption. Accordingly, it is not controlled by it. However, guidelines are issued periodically to provide guidance to members.
Encryption Technology (also known as Information Rights Management in some firms) is typically applied to unstructured data, such as PDF files, according to FINRA. These encryption services typically have two functions. First, they encrypt the contents of the desired files, and second, they can also specify what actions can be performed by users who have permission to open the files.
FINRA sees several benefits in this, such as confidentiality of data and ensuring information integrity. This means that only authorized persons can access the data. The plain text of the files thus remains hidden from employees without authorization. This also applies to criminals who have gained access to the data through a cyber-attack, for example. They only receive the encrypted version. However, this does not allow any inferences to the content.
FINRA therefore also sees encryption as adequate protection against cyber-attacks. It should be used as the last line of defense in a defense-in-depth strategy. FINRA’s comments on this can be found here.
Encryption for portable media: FINRA considers encryption to be necessary for portable media — see Rule 8210. Here, there is a particularly high risk of loss of the device or loss of the data during transmission to “untrusted networks.” According to FINRA, the Internet counts as such a network.
Encryption for cloud storage: Further, FINRA warns against encryption performed by cloud providers themselves. It is true that such encryption is an easy solution for companies. But it should be noted that the keys are provided by the cloud provider. This means that it also has access to the stored data.
For FINRA, there is no one-size-fits-all solution in dealing with cyber threats.
However, business leaders are expected to make cybersecurity a priority and provide enough resources to take sufficient action to mitigate the risks. In addition, encryption is a complex issue and therefore FINRA recommends using a well-established COTS but advises against individualized products. COTS are so-called “commercial-of-the-shelf”, i.e. products that are always structured in the same way and are sold frequently.
What is SOX?
SOX is the abbreviation for the Sarbanes-Oxley Act of 2002, a US federal law. It was passed to improve the quality and reliability of reporting by companies participating in the public capital market.
SOX affects all companies, including their subsidiaries, whose shares are traded on U.S. stock exchanges, whose securities of an equity nature are traded off-exchange in the U.S., or whose securities are offered to the public in the U.S. SOX also applies to companies whose shares are traded on U.S. stock exchanges.
There are three key areas of application for SOX. These include Corporate Governance, Compliance, and External Reporting.
SOX and the Cloud Storage
Since large amounts of data need to be stored for reporting, more and more companies are currently turning to cloud storage. Therefore, there is a section in SOX that regulates the storage of data with cloud providers. Articles 103 and 105 regulate that critical digital data must be stored for at least 7 years.
SOX and Encryption
SOX also mandates that data should be encrypted with a 256-bit AES key, regardless of content, to protect it from attackers. Furthermore, files should be stored in geographically dispersed locations. It should be possible to recover data quickly and accurately at any time.
What is FIPS 140-2?
FIPS is the abbreviation for Federal Information Processing Standard Publication. This is a U.S. government security standard used to approve cryptographic modules and was published by the National Institute of Standards and Technology (NIST). The purpose of FIPS is to coordinate the requirements and standards for encryption procedures. The certification covers hardware and software.
FIPS 140-2 is a certification that can be divided into four levels. The physical security of the software increases from level to level. The test for the certification is approved by several bodies in the USA, but can also be awarded by the TÜV Nord Group in Germany.
The 4-Level Program of FIPS
It is the lowest security level where basic security requirements are established and no physical security mechanisms are necessary. For example, this may be an encryption card for company laptops.
Here, initial physical security requirements are necessary, because to be able to certify for level 2, you need components that can indicate tampering. This can include, for example, seals that must be broken before you can get to the component.
Here, physical access to cryptographic modules by unauthorized persons should also be prevented. The security measures should be able to detect and respond to unauthorized access with a high probability. Examples may include strong enclosures or circuitry.
This category is the highest level of physical security that can protect a cryptographic module. Here, a complete protective shell should preserve the module which detects intrusion from all directions and immediately deletes plaintext files.
To Which Companies does FIPS Apply/Which Companies can be Certified by FIPS?
All crypto modules used by the US or Canadian governments must be FIPS 140-2 certified. Therefore, this certification is relevant to all companies that manufacture and sell or plan to sell crypto modules to these governments.
Is Boxcryptor FIPS Compliant?
Yes. The libraries used by Boxcryptor to implement encryption are FIPS 140-2 certified. An overview of the libraries used can be found in our Technical Overview.
Conclusion: There Is No Way Around Strong Encryption
The use of cloud storage offers enormous advantages. However, to take advantage of these benefits, it must be ensured that it is used in accordance with FINRA requirements. Encryption is a building block to using cloud storage securely. When choosing an encryption solution, make sure it uses FIPS 140-2 certified libraries.
Boxcryptor supports many cloud storages and can help you to use cloud storage that is FINRA compliant. The zero-knowledge approach means that only you or your company has access to the encrypted files. This allows you to take advantage of the cloud with the highest level of security.