Data Backup and Compliance with FINRA & SEC

Registered Investment Advisors (RIA), finance professionals and members of FINRA have strict standards to uphold when it comes to data, security and privacy. If your organization is looking to ensure compliance when it comes to your backups, here we provide some general guidance. First we review FINRA and SEC rules and regulations that could impact your choice of backup solutions. Next we offer some general guidelines and features to look for in a backup solution to ensure compliance with FINRA and SEC

FINRA and Business Continuity and Disaster Recovery Planning

Let’s start with FINRA Rule 4370 . This rule requires that each member organization develop and maintain a written business continuity plan that addresses how the organization will continue operations in the event of business disruption. The business continuity plan needs to be maintained and kept current. While there is flexibility in what to include in the business continuity plan, they require at minimum addressing 10 items during this planning process. The first of these is a data back-up and recovery solution for both hard copy and electronic data. 

SEC and Data Retention and Archiving 

Another regulation that needs to be reviewed when developing a backup solution for a FINRA member organization is the Securities Exchange Commission (SEC) Rule 17a-4. According to these guidelines all data needs to be retained for a period of at least 6 years. For the first two years, all data needs to be easily accessible. 

SEC and Data Protection, Privacy and Cyber Security 

Data protection and safeguarding customer information are covered in Rule 30 of SEC Regulation S-P and SEC Regulation S-ID and FINRA offers detailed guidelines when it comes to cybersecurity and data security. 

Backups that Comply with SEC and FINRA Regulations 

Backup to Alternate Sites

Whether you create a backup copy that resides in a second physical location or in the cloud,  a secondary copy in an alternate location will ensure business continuity and access to data in the event of business disruption.

Encryption

Protect you client data by encrypting your files and devices both at rest and while in transit.

Retention Period

Make sure to retain your data for a long period of time, at the minimum 6 years. 

Security Measures

Take basic security measures to safeguard your backups including providing access only to those who need access, requiring 2 factor authentication and strong passwords for login, and ensuring strong physical security.

Test Backups

To ensure data can be restored without loss or damage, test your backups frequently.