In today’s heavily regulated financial landscape, institutions must adhere to stringent guidelines for storing and preserving electronic records. The SEC, FINRA, and CFTC mandate that records be maintained in a non-rewriteable, non-erasable format for the entirety of their retention period. Cloudian® HyperStore®, a scalable, S3-compatible object storage platform, has recently been rigorously reevaluated by Cohasset Associates, Inc., based on our latest version of HyperStore software, and is now certified to meet new and emerging regulatory requirements.
Regulatory Overview for Electronic Recordkeeping
Key financial regulations require strict compliance to ensure data integrity, availability, and immutability over specified retention periods:
- SEC Rules 17a-4(f) and 18a-6(e): Require broker-dealer records to be stored in tamper-proof formats.
- FINRA Rule 4511(c): Mandates that records are preserved in a non-modifiable format.
- CFTC Rule 1.31(c)-(d): Establishes standards for preserving records securely and accurately for audits.
These regulations emphasize the need for immutable storage solutions to safeguard the authenticity of records. Cloudian HyperStore’s Object Lock feature, when configured in Compliance mode, ensures regulatory adherence and has been independently verified by Cohasset Associates.
Compliance Capabilities of Cloudian HyperStore
Cloudian HyperStore provides an integrated suite of features designed to ensure regulatory compliance while offering secure, scalable storage for financial institutions.
- Immutable Record Storage
HyperStore’s Object Lock functionality ensures that records are stored in a non-rewriteable, non-erasable format. In Compliance mode, retention policies are strictly enforced, preventing tampering or premature deletion of records, as required by SEC, FINRA, and CFTC regulations.
- Legal Hold Protection
HyperStore supports Legal Hold, allowing financial institutions to override retention periods and prevent the deletion of records under audit or litigation. This ensures compliance during regulatory investigations or legal proceedings.
- Retention Policy Enforcement
Retention policies in Compliance mode are immutable, ensuring records remain preserved until their retention period expires and any active Legal Holds are lifted. This guarantees adherence to SEC and FINRA retention mandates.
- Versioning and Data Integrity
Versioning is automatically enabled for Object Lock-enabled buckets. Each record version is preserved independently, with retention and Legal Hold settings intact. Robust checksum-based data verification mechanisms further ensure data integrity throughout its lifecycle.
- Redundancy and Data Availability
Cloudian HyperStore employs replication and erasure coding to protect data against hardware failures and corruption. These redundancy mechanisms ensure records remain accessible for audits and regulatory reviews.
- Audit System Support
HyperStore meets SEC Rule 17a-4(f)(3)(iii) and 18a-6(e)(3)(iii) requirements by maintaining a detailed, tamper-proof audit trail. Authorized users can easily retrieve records and export them in human-readable formats for audits.
Security Features Supporting Compliance
HyperStore incorporates advanced security controls to protect the authenticity and reliability of stored records.
Identity and Access Management (IAM)
Granular IAM policies enable administrators to control user access at the bucket and object levels, ensuring only authorized personnel can manage or modify records.
Encryption at Rest
HyperStore supports server-side encryption (SSE) using either system-generated or customer-provided keys (SSE-C). Encryption policies can be applied at the bucket, object, or storage policy level, ensuring flexibility in meeting data protection requirements.
Security Controls for NTP Services
To safeguard the accuracy of system time and prevent tampering, HyperStore restricts access to NTP services via the HyperStore Shell. This restriction prevents unauthorized or accidental modifications of the system clock, ensuring that records cannot be deleted prematurely due to time manipulation. The inability to alter the clock without authorization provides another critical layer of protection for compliance.
Certified Compliance by Cohasset Associates
Cohasset Associates’ evaluation confirms that Cloudian HyperStore, when configured with Object Lock in Compliance mode, meets the recordkeeping requirements of:
- SEC Rules 17a-4(f)(2) and 18a-6(e)(2),
- SEC Rules 17a-4(f)(3)(iii) and 18a-6(e)(3)(iii),
- FINRA Rule 4511(c),
- CFTC Rule 1.31(c)-(d).
Conclusion
Cloudian HyperStore provides financial institutions with a robust, scalable, and compliant solution for electronic record retention. With features like Object Lock, retention policy enforcement, versioning, data redundancy, and encryption, HyperStore ensures that records remain immutable, secure, and accessible throughout their retention lifecycle.
For institutions facing increasing regulatory pressure, Cloudian HyperStore offers peace of mind by combining cutting-edge security with seamless compliance capabilities.
To learn more, access the Cohasset Associates Compliance Assessment of Cloudian here.
Glenn Haley, Senior Director of Product Management, Cloudian
