only for the grAde

Case Study 6 245

:''".,,E-81J;i: . W*i[ mt L;\;!i . :''' "o*'6q.$tr*r$ $gi{ep.v*E l - * I L the Securities and Exchange Commission (SEC) set out :.:> that stipulated records retention requirements for securi-

- :rLrkc'rs and dealers. The SEC's concern was (and is) that ..;..'rds oI financial transactions not be altered after the fact, rai rhel' be retained for a stipulated period of time, and that ri:r.'s Lre created so that the records can be readily searched.

In 19 3 7. the rules assumed that such records were recorded I papL'r media. With the rise of information systems storage, in 9:i I the SEC updated the rules by stating that such records can : sept electronically, provided that the storage devices are write :l--e. read manSr times (WORM) devices. This rule was readily :;epted b1'the financial services industry because the first CDs

:.1 l,.t\ljs rtere WORM devices. Hon'ever, as technology developed, broker-dealers and other

eancial institutions wanted to store records using regular disk .,:age and petitioned the SEC for guidance on how they might : :hat. In May 2003, the SEC interpreted the rule to enable the t,rage of such records on read-write media, provided that the t-,rage mechanism included software that would prohibit data i:ra ti on:

-\ broker-dealer would not violate the requirement in para-

graph (f)(2)(ii)(A) of the rule if it used an electronic storage s)'stem that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software con- troi codes. Rule 1 7a-4 requires broker-dealers to retain records for specifled lengths of time. Therefore, it follows that the non-erasable and non-rer,r,riteable aspect of their storage need not continue beyond that period.

The Commission's interpretation does not include stor- age s5zstems that only mitigate the risk a record r,r,,ill be over- rvritten or erased. Such systems-which may use software applications to protect electronic records, such as authen- tication and approvai policies, passwords or other extrinsic security controls-do not maintain the records in a manner

l(.,.:ii:: i.-i'?

omponents of the Finoloud ystem

that is non-rewriteable and non-erasable. The external mea- sures used by these other systems do not prevent a record from being changed or deleted. For example, they might limit access to records through the use of passwords. Addition- ally, they might create a "finger print" of the record based on its content. II the record is changed, the flngerprint will indicate that it was altered (but the original record would not be preserved). The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f).22

Notice the SEC specilically excludes extrinsic controls such

as authentication, passwords, and manual procedures because it believes it would be possible for such systems to be readily mis- used to overwrite records. The SEC is striking a fine line in this ruling; if, for example, someone were to tamper with the storage systems' software, it would be possible to overwrite data. Appar-

ently, the SEC assumes such tampering would be illegal and so rare as to not be a concern.

Given this ruling, organizations began to develop systems in compliance. The NASDAQ OMX Group, a multinational corpora- tion that owns and operates the NASDAQ stock market as well as

eight European exchanges, began to develop FinQloud, a cloud-

based storage system that was developed to be compliant with the SEC's (and other regulating organizations') rulings. NAS- DAQ OMX operates in 70 different markets in 50 countries worldwide and claims that it processes one out of 10 stock trans- actions worldwide.23

Figure 6-33 shows the fundamental structure of the FinQloud system. On the back end, it uses Amazon's 53 product to provide scalable, elastic storage. When financial institutions sub- mit records to FinQloud for storage, FinQloud processes the data in such a way that it cannot be updated, encrypts the data, and trans-

mits the processed, encrypted data to AWS, where it is encrypted yet again and stored on 53 devices. Data is indexed on 53 and can

be readily read by authorized users. After building the system,

246 cHAPTER 6 The cloud

NASDAO OMX claimed that FinQloud's processing and encryption

is done is such a way that it meets the SEC requirement'

Of course, NASDAO OMX knew this statement would be

perceived as self-serving. so it hired two independent companies

to verify that claim: fordan & Jordan, a securities industry consulting company, and Cohasset Associates, a document- processing consulting company. According to Tlrc WaIl Street

lournal, both organizations concluded that when properly con-

figured, FinQloud meets the requirements of the SEC's rule (Rule

77a-3) as well as a similar rule set out by the Commodities

Futures Trading Commission. 2a

Consequently, NASDAQ OMX customers can use FinQloud'

and as long as they can demonstrate that they have properly

configured it, their auditors will Iind this system to be in compli-

ance with the SEC rulings.

*uEsrl*rus 6-14. In your own words, summarize the dealer-broker

record retention requirements.

6-15. Reread the SEC's 2003 interpretation' In your own words, explain the difference between "integrated

hardware and software control codes" and soltware

applications that use "authentication and approval

policies, passwords, or other extrinsic controls"' G:: ' an example of each.

6-16. Clearly, in the view of the SEC, the likelihood compromise of an integrated system of hardlr-t':' and software is considerably less than the likelihc''':

of compromise of a system of authentication' pas'-

words, and procedures' Justify this view'

6-17. Do you agree with the view in question 6-16? \A/ht -

why not?

6-18. Investigate lordan & |ordan (wwttt'jandi'com) ar: Cohasset Associates (www.cohasset'com)' If )-i - were a consultant to a financial institution' to rrh":

extent would you rely on the statements of the;' organizations?

6-19. If you were a consultant to a financial institutio:' what else might you do to verify that FinQloud cor---

plies with the SEC ruling and its 2003 interpretatior:

6-20,, Explain how the knowledge you have gained so lar :- this course helps you to understand the SEC's 20t' '

interpretation. Summarize how your knowled;'' would help you if you worhed for a financial institu-

tion. Cast your answers to this question in a way tha:

you could use in a job interview.

r'' Mts Go to the Assignments section of your Mylab to complete these writing exercises'

6-21. Suppose that you work at Falcon Security and Joni tells you that she doesn't believe that cheap, elastic provisioning of data storage is possible. "There has

to be a catch somewhere," she says. Write a one-Page memo to her explaining

how the cloud works. ln your memo, include the role of standards for cloud processing.

6-22, Suppose you manage a sales department that uses the SaaS product Salesforce.com. one of your key salespeople refuses to Put his data into that system. "l just don't believe that the competition can't steal my data, and l'm not

taking that risk." How do you respond to him?

1. Julie Bort, "Netflix, Juniper, and Intuit Explain How Amazon Is Eating the $3.5 Trillion IT Industry," Business Insider, January 1 3, 2 0 I 6, accessed May 74, 2O7 6, tuwu'. businessins i de r' c om / netflix -intuit- iurip er- g o - all- in- on- atnazon- cloud' 2 0 1 6 - 1'

2. Yalool Finance, .SEC Filings' accessed May 1 5, 201 6' lfttp: I I fintrnce' y ahoo. com / ql secis=AIvIZN+SEC+Filings.

3. iohn Divine-, 'Amazon.com, Inc.: Why AWS Gron'th Is VITAL to AMZN 3tock, " InvestorPlace, May 2, 20L6. accessed May )'5 , 2016, ltttp: / / investorplace, coml 20 7 6 I 0 5 I aw s- grototh'amttzon-rtmzn- stock'

4. Brandon Butler, 'Amazon's Cloud Conference-By the Numbers"' NatworkWorld, October 7, 2075, accessed May 1 5' 20 1 6, tvu'tn

netw orkw orLl. com I article I 2 9 9 0 42 7 / t:loud- computing I amazons-doud-

c o nJe r en c e -by - th e - numb e r s. html. 5. Pairick Thibodeau, 'Apple. Google, Facebook Turn N C' into Data

Center Hub." Comptieru'orld,June 3, 2011, accessedJune 3' 2016' wwrr co,?lputenr7 oitl. c ont / article l 2 5 0 8 8 5 7 / data- center l apple'google-

f ac eb o ok- t t t n - n- c - int o - dat a- c e nt e r-htrb. html.

t