| Six Things Broker-Dealers Should Consider when | | | | 4. Built-in Archiving |
| Choosing a Remote Backup Provider | | | | SEC rule 17a-4 poses particular challenges for small |
| Meeting Today's Demanding Requirements: | | | | broker-dealers firms because of the specific |
| With their continuing advancements in technology, | | | | technology required to achieve the long-term |
| remote backup providers are now being used by | | | | retention requirements of this mandate. In choosing a |
| small broker-dealer firms to achieve today's | | | | remote backup provider, it is critical that a small |
| demanding data compliance requirements. Such as the | | | | broker-dealer firm understand the difference |
| rules outlined in SEC 17a-3, 17a-4 and the business | | | | between backup and archiving. By default, to keep |
| continuity and electronic records supervision | | | | cost low, remote backup providers only store |
| regulations contained in 3510 and 3010 from FINRA. | | | | customer's data on a limited retention basis using |
| By using these third party providers to remotely | | | | quick access hard disk. This will be set within their |
| store their critical records, broker-dealers now have a | | | | software to overwrite files that change frequently |
| ready-made option to quickly and inexpensively | | | | and keep only 10 to 30 versions of changes. |
| transfer data from all systems across the entire | | | | Unfortunately, this is not compliant and data that |
| operation to a remote location. | | | | changes frequent will be overwritten. Therefore, |
| However, not all remote backup providers are | | | | older copies of files may not be available during an |
| created equal. Small broker-dealer firms need to be | | | | audit or in the event of a disaster. An additional |
| careful in selecting the right provider to help them | | | | archiving process must be added in this case to |
| achieve today's stringent data compliance regulation. | | | | perform regular full "snap-shots" of data at least |
| They should look for the following features when | | | | monthly and moved to non-rewriteable optical disks. |
| choosing a provider to outsource their remote | | | | This will then be stored securely for at least 6 years. |
| storage. | | | | Non-rewriteable DVDs are a perfect technology for |
| What to look for in a remote backup provider: | | | | this because of their capacity, durability and low cost. |
| 1. Comprehensive | | | | 5. Reporting |
| Rule 17a-3 stipulates that a broker-dealer must | | | | A provider's backup software should have the ability |
| protect and keep available the books and records | | | | to send automatic email reports to compliance |
| relating to its business. This often covers a wide | | | | officers for review. This will be part of the |
| range of electronic records and it is vital that a | | | | broker-dealer's supervisory duties and a key |
| remote backup provider is selected that can protect | | | | component of their regular compliance reporting and |
| these various data formats. This must include data | | | | auditing procedures. |
| such email residing on internal servers and on individual | | | | 6. Ease of Recovery |
| PCs such as PST files saved on users hard drives. | | | | In the event of a disaster it should be easy for |
| Other documents that hold client information created | | | | broker-dealers to restore data back to its original |
| with Microsoft Office Word, Excel, PDF reports and | | | | location or to an alternate site. Also, during SEC |
| customer data imputed into databases should easily | | | | audits broker-dealer may be requested to reproduce |
| be supported. The software should be configured to | | | | current or archived data on separate media such as |
| initially capture a full backup of this data and then be | | | | USB drives, CDs or DVDs so it can easily be |
| set to run every night and backup the daily | | | | reviewed by auditors. Ensuring a provider can easily |
| incremental changes from then on. | | | | restore this data to common file formats on |
| In addition to regular protection of this user data, a | | | | alternate media will ease the audit review process. In |
| provider should have the built in ability to perform | | | | addition, providers should be able to integrate |
| full-system state backups of critical systems to | | | | seamlessly with FINRA's Small Firm Emergency |
| enable "bare metal" restored to alternate hardware. | | | | Partner Program and allow data to be immediately |
| This will allow the quick recover of servers and their | | | | restored to a pre-designated partner firm at a |
| associated operating systems and programs in the | | | | geographically separate location. |
| case of complete failure. | | | | Summary |
| 2. Licensing Free Software | | | | Small broker-dealer firms must identify critical |
| In choosing a remote backup provider, small-broker | | | | vulnerabilities in their data compliance strategy. Due to |
| dealers should select a provider that does not charge | | | | their lack of internal staff or budgets they must look |
| software licensing. A cost based only on the amount | | | | to third party provides to help them build data |
| of data stored eases administration and allows branch | | | | compliant systems. Remote backup providers are |
| offices, remote and home users to be added easily | | | | now well suited as an option for these companies to |
| to the data compliance process. | | | | achieve today's complex data compliance |
| 3. Completely Self Managed | | | | requirement. |
| Small broker-dealer firms can't spend valuable time | | | | These six things to consider in a remote backup |
| managing backups. They should choose a provider | | | | provider has been presented to help small |
| who will completely administer the backup process | | | | broker-dealer firm successfully choose between the |
| and offer the ability to remotely connect to their | | | | many providers that exist today. In following the |
| software and immediately addresses problems when | | | | above guidelines they will have more success in |
| they arise. This should be included as part of the | | | | choosing the correct provider. Essentially the goal is |
| provider's service to ensure missed backups do not | | | | to ensure SEC audit success and quick recovery of |
| leave gaps in a broker-dealers data compliance | | | | critical records in the event of a disaster. |
| strategy. | | | | |