Ensuring SEC compliance with Wasabi’s data immutability

Download the eBook PDF

Review SEC regulations and learn how securities brokers, dealers and other financial services firms can use Wasabi to store electronic records in accordance with them.

Executive Overview

Wasabi hot cloud storage is an extremely affordable and fast cloud storage service. Financial services organizations can use Wasabi for a variety of purposes including primary storage for electronic records and application data, secondary storage for backup or disaster recovery, and archival storage for long-term data retention.

The U.S. Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA) and Commodity Futures Trading Commission (CFTC) impose strict rules for preserving electronic records on digital medium including storage clouds like Wasabi. This white paper reviews these regulations and explains how securities brokers, dealers and other financial services firms can use Wasabi to store electronic records in accordance with them.

Wasabi Hot Cloud Storage Overview

Wasabi hot cloud storage is economical, fast and reliable cloud object storage for any purpose. Unlike legacy cloud storage services with confusing storage tiers and complex pricing schemes, Wasabi hot cloud storage is easy to understand, easy to deploy and cost-effective to scale. One product, with predictable and straightforward pricing, supports virtually every cloud storage application.

Financial services firms can use Wasabi for a variety of purposes including:

Low-cost primary data storage for on-premises applications or cloud-based workloads
Inexpensive secondary storage for backup, disaster recovery in the cloud, or data migration initiatives
Affordable and durable archival storage for long-term data retention

Wasabi Data Immutability Preserves the Integrity of Electronic Records

Wasabi hot cloud storage is engineered for extreme data durability and integrity. Wasabi provides eleven 9s of object durability, safeguarding data against hardware failures and media errors. In addition, Wasabi supports an optional data immutability capability that protects electronic records and application data against administrative mishaps or malicious acts.

How Wasabi Data Immutability Works

When you create a Wasabi storage bucket (the basic container that holds your data) you have the option of making it immutable for a configurable retention period. Data written to an immutable bucket cannot be deleted or altered in any way, by anyone, throughout its storage lifetime.

Wasabi supports immutability at the object, or “file,” level. With Wasabi’s S3 Object Lock, you can set unique immutability parameters for individual objects within a storage bucket. These objects can be made immutable for a configurable amount of time or indefinitely.

Configuring an Immutable Storage Bucket

An immutable object cannot be overwritten, deleted or modified by anyone—including Wasabi. Data immutability protects against the most common causes of data loss and tampering including:

User mistakes and administrative mishaps
Malicious programs like viruses, malware and ransomware
Software bugs

Financial services firms can use Wasabi’s data immutability capabilities in conjunction with other Wasabi functionality to ensure their systems and practices comply with certain SEC, FINRA and CFTC electronic records preservation regulations.

SEC, FINRA and CFTC Regulations for Preserving Electronic Records

The U.S. Securities and Exchange Commission has established strict electronic records preservation rules to protect investors against fraud and abuse. Enacted under the Securities Exchange Act of 1934 these regulations help ensure financial services firms comply with applicable securities laws, including antifraud provisions and financial responsibility standards.

Specifically, SEC Code of Federal Regulations (CFR) Part 240 Rules 17a-3 and 17a-4 require firms to “create, and preserve in an easily accessible manner, a comprehensive record of each securities transaction they effect and of their securities business in general.”1

Rule 17a-3 (Records to Be Made by Certain Exchange Members, Brokers and Dealers) dictates which types of documents must be retained. Rule 17a-4 (Records to be preserved by certain exchange members, brokers and dealers) specifies how these documents must be retained. Penalties for non-compliance can be quite severe and often include steep fines and the suspension or revocation of licenses.

The Financial Industry Regulatory Authority refers to SEC Rule 17a-4 for its book and records preservation requirements (FINRA Rule 4511). The Commodity Futures Trading Commission has adopted rules similar to SEC Rule 17a-4 as part of CFTC Rule 1.31.

SEC Rule 17a-4 Implications for IT Planners and Storage Administrators

SEC Rule 17a-4 establishes specific technical requirements for financial services industry IT planners and storage administrators. In particular, rule 17a-4(f)(2)(ii) states that electronic storage media must:

Preserve the records exclusively in a non-rewriteable, non-erasable format
Verify automatically the quality and accuracy of the storage media recording process
Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media 2
Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable.

And rule 17a-4(f)(3)(iii) states that if a member, broker or dealer uses electronic storage media, it shall:

Store separately from the original, a duplicate copy of the record stored on any medium acceptable for the time required.

1 SEC Interpretation, Release No. 34-47806, May 2003

2 This rule is clarified in SEC Interpretation, Release No. 34-44238, May 2001

Ensuring SEC Rule 17a-4 Compliance with Wasabi Hot Cloud Storage

Financial services organizations can use Wasabi to store electronic records in accordance with applicable SEC 17a-4 rules.

Rule 17a-4(f)(2)(ii)(A) (Preserve records in non-rewritable, non-erasable format)

Wasabi’s data immutability capabilities ensure electronic records are maintained in a non-rewritable, nonerasable format. Records stored in a Wasabi immutable bucket or secured with S3 Object Lock cannot be overwritten, deleted or modified by anyone, including Wasabi personnel for the duration of the retention period.

Rule 17a-4(f)(2)(ii)(B) (Ensure storage record quality and accuracy)

Wasabi provides a highly durable and reliable storage infrastructure, engineered to preserve data integrity and precision. The service is architected to withstand disk failures and media errors, and uses distributed disks arrays and advanced data redundancy algorithms to preserve the integrity and accuracy of electronic records. In addition, Wasabi validates every object every 90 days, automatically correcting any discovered anomalies.

Rule 17a-4(f)(2)(ii)(C) (Serialize and timestamp records)

The original SEC Rule 17a serialization provision is somewhat vague. A 2001 SEC interpretation clarifies the aim of the rule, stating it “is intended to ensure both the accuracy and accessibility of the records by indicating the order in which records are stored, thereby making specific records easier to locate and authenticating the storage process.”

Wasabi complies with this provision by assigning each bucket a unique name and by providing unique identifiers for each bucket including owner name, region name and creation date/time stamp. The combination of the bucket, owner and region name, along with the creation date/time stamp, uniquely identify each record in both space and time.

Rule 17a-4(f)(2)(ii)(D) (Download indexes and records)

Wasabi supports Amazon’s Simple Storage Service (S3) application programming interface (API), which has emerged as a de facto industry standard. The API can be used to download electronic records and to retrieve system properties and metadata. Wasabi customers can use custom scripts or third-party file management utilities to download records to their medium of choice. Customers can also use custom scripts or third-party search tools to create and download indices.

Rule 17a-4(f)(3)(iii) (Maintain duplicate, separate copies of records)

Wasabi uses advanced data redundancy algorithms to protect against disk and media failures and to eliminate single points of failure within a data center. Each Wasabi data object is transformed into a series of reconstruction codes that are distributed across a collection of independent disks for resiliency. In the event of individual or multiple disk failures, data loss, or corruption, the original data object can be recreated using only a subset of the codes.

Wasabi also offers geo-redundant storage for added resiliency. Wasabi lets customers store data across geographically dispersed Wasabi data centers to protect against natural disasters and catastrophic data center events.

Additional SEC Compliance Consideration

In addition to electronic records preservation regulations the SEC has established a number of other rules governing the storage, processing and transmission of electronic records. In particular, CFR Title 17 Chapter II Part 248 mandates financial services firms adopt procedures to safeguard customer records and personal information. More specifically, section 248.30 states firms must adopt policies and procedures to:

Ensure the security and confidentiality of customer records and information
Protect against any anticipated threats or hazards to the security or integrity of customer records and information
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer

Wasabi’s cloud storage service ensures the privacy and integrity of customer records and personal information, helping financial services organizations comply with the SEC statute. Wasabi takes a “defense-in-depth” approach to security, employing multiple layers of security for ultimate protection. Wasabi ensures the physical security of its data centers; institutes strong authentication and authorization controls for all its cloud compute, storage and networking infrastructure; and encrypts data at rest and in transit to safeguard confidential customer information.

Physical Security

The Wasabi service is hosted in premier top-tier data center facilities that are highly secure, fully redundant, and certified for SOC 2 and ISO 27001 compliance. Each site is staffed 24/7/365 with on-site security personnel to protect against unauthorized entry. Security cameras continuously monitor the entire facility— both indoors and outdoors. Biometric readers and two-factor or greater authentication mechanisms secure access to the building. Each facility is unmarked so as not to draw attention from the outside.

Secure Network Architecture

Wasabi employs advanced network security elements, including firewalls and other boundary protection devices to monitor and control communications at internal and external network borders. These border security devices segregate customers and regulate the flow of communications between networks to prevent unauthorized access to Wasabi infrastructure and services.

Data Privacy and Security

Wasabi supports a comprehensive set of data privacy and security capabilities to prevent unauthorized disclosure of electronic records. Strong user authentication features tightly control access to stored data. Access control lists (ACLs) and administratively defined policies selectively grant permissions to users or groups of users. Wasabi encrypts data at rest and data in transit to prevent record leakage. All data stored on Wasabi is encrypted by default to protect data at rest. And all communications with Wasabi are transmitted using HTTPS to protect data in transit.

Data Durability and Protection

Wasabi is architected to deliver extremely high data durability and integrity. Wasabi provides eleven 9s of object durability, protecting data against equipment failures and media errors. In addition, Wasabi’s data immutability capability guards against administrative errors or malicious attacks.

Data Ownership and Disclosure

The Wasabi Storage Platform Terms of Use Agreement grants the financial services organization exclusive ownership and control of stored data. Under the terms of the agreement the subscriber (the financial services organization) maintains ownership of all subscriber data. All data stored on Wasabi remains the exclusive and confidential property of the subscriber.

Conclusion

SEC Rule 17a-4 establishes strict guidelines for preserving electronic records. Compliance violations can result in significant financial penalties and even loss of license. Securities brokers, dealers and other financial services firms can use Wasabi hot cloud storage to maintain electronic records in accordance with applicable 17a-4 provisions.

Wasabi supports data immutability at both the bucket and object level to ensure electronic records are not deleted, overwritten or modified; leverages advanced data redundancy mechanisms to maintain record integrity and accuracy; generates descriptors and timestamps to uniquely identify records; supports standards-based APIs for efficiently downloading records and indices to separate media; and distributes records across physical storage elements for resiliency.

Wasabi recognizes that financial services institutions have unique security, regulatory, and compliance obligations. Wasabi has engaged with Cohasset Associates to produce an assessment detailing how Wasabi’s S3 Object Lock satisfies the technical requirements in SEC, CFTC and FINRA rules.

Additional Information

For additional information about SEC, FINRA and CFTC electronic records preservation rules consult the following resources: