By Anne Sherry, J.D.
To understand the opportunities and challenges presented by cloud computing, FINRA’s Office of Financial Innovation reached out to 40 market participants to learn about the state of cloud adoption within the securities industry. The survey revealed a range of adoption, with some fintech and other younger firms having built their technology in the cloud, while other firms are waiting to see how cloud computing evolves before adopting the technology. FINRA requests comments on the report, including areas where guidance or modifications to FINRA rules may be desired to support cloud adoption while maintaining investor protection and market integrity, by October 16.
FINRA staff spoke with nearly 40 market participants, including broker-dealer firms, cloud service providers, industry analysts, and technology consultants. Firms reported on their level of cloud adoption (if begun), the benefits they’ve reaped, and the challenges they faced when migrating to the cloud. The report describes cloud computing and various deployment and service models before summarizing firms’ experiences. Finally, it discusses regulatory considerations for cloud computing.
Status of cloud migration. The paper describes four levels of cloud adoption among firms. Businesses that are fully in the cloud generally include fintech startups that launched their business in the cloud natively and small firms that have been able to move to the cloud using off-the-shelf software as a service (SaaS) products. Firms that are partially in the cloud have begun the process of migration, with larger firms generally articulating an enterprise strategy for increasing their cloud presence. The report notes a divergence in strategy: some firms migrated mission-critical work first, while others transferred lower risk workflows involving less sensitive data.
Other firms are exploring or experimenting in the cloud and may have defined a migration strategy. Finally, there are firms—typically small or medium-size—that maintain systems mostly in premises and are not actively contemplating moving to the cloud. Some of these firms use SaaS products for non-core functions. FINRA found that the firms are not necessarily wary of new technology; rather, they do not see a particular urgency to transition to the cloud and were able to adapt to the surge in remote work necessitated by the pandemic.
Benefits and challenges. Firms cited benefits and challenges related to agility, resiliency, costs, cybersecurity, staffing, and operations. Several firms suggested that cloud-based infrastructure may allow them to be more innovative and nimbler in offering new products and services. The ability to "fail fast" without investing in new servers and personnel could drive innovation. Similarly, firms felt that cloud technology offers resiliency and the ability to easily scale computer usage to accommodate surges in demand for IT resources, such as experienced during the pandemic.
Firms also said that cost is a factor while suggesting that the financial benefit of migrating to the cloud may only be felt in the longer term. In the short term, migration presents costs of retraining staff and hiring people with specialized expertise, along with refashioning existing workflows and redesigning data and applications. And while firms thought that cloud computing could have benefits for cybersecurity, in part because cloud service providers enjoy economies of scale in managing data centers, the firms also reported that the cloud environment could be less secure than keeping data onsite if appropriate measures, such as encryption and key management, are not taken. Firms also noted the importance of allocating responsibilities between the firm and the cloud provider so that the firm does not mistakenly assume that the cloud service provider will take on tasks that the firm should be assuming.
Finally, firms discussed "lock-in" risk, where a firm becomes excessively dependent on a specific cloud provider. This could compromise resilience if the service provider becomes unreliable. While firms think portability and "containerization" of data is a good strategy to mitigate lock-in risk, they also recognized this is a challenging task. Building expertise in multiple clouds adds to the strain on human resources capabilities, while containerizing data could disrupt business availability.
Regulatory considerations. FINRA also highlighted thematic areas for consideration by regulators. These include cybersecurity and other cloud vulnerabilities, including misconfiguration and poor access controls. Firms are also subject to requirements to safeguard customer records and information, even if they outsource some tasks to cloud service providers. If a firm’s cloud adoption leads to changes in how it collects, stores, analyzes, and shares customer data, firms may need to update their policies and procedures related to data privacy. Similarly, cloud computing can implicate FINRA Rule 4370 on business continuity plans, as well as FINRA and SEC rules requiring that records be preserved for a specified time on a non-rewriteable, non-erasable format.
Comment period. FINRA encourages comments on the paper, which should be sent by October 16 using FINRA’s online comment form, email, or regular mail. Comments will be made available publicly on the FINRA website.