We’re proud to announce that Cloud9 Technologies has received the ISO 27001 Certification, the international standard that describes best practices for an information security management system (ISMS). Compliance with this certification validates that Cloud9 has implemented comprehensive information security practices that protect our users, their information, and their call record data in accordance with internationally-recognized standards.
ISO 27001 family of standards ensures the secure management of financial information, intellectual property, employee details, and third party information by assisting firms in establishing methodologies and meeting key objectives for implementing information security.
Cloud9 underwent in-depth testing and assessment by a third-party auditor to validate compliance with this standard. Maintenance of the certification requires an annual review and a three-year re-certification, giving Cloud9 users confidence that their data is continuously protected under these standards.
Since our founding, security has been top priority for Cloud9. Our robust security framework includes end-to-end, triple encryption security, that safeguards calls, recordings, and call data in transit and at rest. Achieving this certification provides independent validation regarding the company’s ability to safeguard calls, voice recordings, call data, and business information that they entrust to Cloud9.
“We’re proud to be internationally recognized as a leader in information security protocols and best practices. It is a testament to the dedication of our team in ensuring that we have every safeguard in place when dealing with user information,” said Cloud9 Technologies CTO, Leo Papadopoulos. “Data security is critical when dealing with the financial industry, and Cloud9’s ISO certification provides our users with the highest level of protection for their most sensitive communications.”
To continue this excellence in security and compliance, Cloud9 has employed a security management team dedicated to the prevention and monitoring of security threats as well as managing strict policies around escalation and rapid response.
Learn more about the importance of security in fintech.
For firms looking for guidance about how regulatory agencies apply outsourcing rules to cloud services, recent guidelines issued by the UK Financial Conduct Authority (FCA) offer support for the use of public cloud technology at financial services firms.
In a set of new guidelines released in July, the FCA recognized the need to provide more detail on their approach to financial services firms using a cloud services provider. The guidelines go on to provide a positive endorsement of cloud technology, stating: “We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”
The new guidelines support the FCA’s effort to foster innovation in order to promote competition in the financial services sector. They state in the report, “Using the cloud can provide more flexibility to the services firms receive, enabling innovation, and bringing benefits to firms, consumers, and the wider market.”
These cloud-friendly guidelines demonstrate a changing attitude towards the cloud in the financial services industry, as discussed recently at our panel, Fintech and the Cloud. Third party cloud providers offer financial firms a number of benefits such as cost savings, increased security, and often, built-in compliance.
Regarding security, the FCA went on to advise firms considering a third party cloud service to agree on a data residency policy with their provider upon beginning their relationship. Building this trusting relationship between firm and provider is key to implementing a secure and effective cloud solution.
Interested in implementing a cloud solution at your firm? To learn more about the benefits of Cloud9, watch this quick tutorial.
With the MiFID II deadline looming in Europe and Brexit shaking up the market structure worldwide, financial firms consistently face the pressure of compliance. New mandates mean new processes to implement, and often, disruption to business, which ends up costing firms significant amounts of money. The 2016 European Fixed Income Benchmarking Report notes that 52% of companies have experienced increased costs due to implementation of European regulations that have negatively affected their fixed income trading operations.
Companies dedicate entire teams to understanding and implementing new compliance measures, with MiFID II particularly top-of-mind among European financial firms. The same benchmarking report notes that 48% list “Understanding the Regulations of MiFID II” and 38% list “Implementing MiFID II Guidelines” as a top 3 organization priority, even falling above typical business processes like “Identifying New Emerging Market Opportunities” or “Finding Alternative Methods to Source Liquidity.” The concern is shared in the United States markets as well, where “Understanding and Implementing US Regulatory Guidelines” topped the list of concerns at 68%.
With regulation taking up so much attention, how can companies stay compliant without breaking the bank or disrupting their business?
The key, many firms are discovering, is replacing one-dimensional, legacy equipment for the adaptability and efficiency afforded by new technology. The majority of buy-side traders surveyed in the European Benchmarking Report plan on investing at least 16-30% of their total budgets on new technology in the next 12 months.
Adopting the right technology at a firm can make implementing compliance mandates easier on teams and on their wallets. Generally, firms are on the hunt for new technology that meets the following requirements:
- Compliance structures are already built into the system.
- Features state of the art technology that is reliable.
- Able to cope with new regulations and keep the firm legal. The technology should be capable of adapting not only as your company grows, but also as regulations change, and can automatically be updated to account for changing mandates.
- Doesn’t disrupt business operations and interacts seamlessly with existing devices and procedures.
- Is cost effective. The solution shouldn’t require extensive maintenance or costly replacements when regulations change.
With these qualifications in mind, Wall Street CIOs are increasingly investing in new, modern platforms to keep their firms secure and compliant. Not only are they more affordable than ever, updated technologies give financial firms the flexibility to adapt to changing regulations, better reconstruct trades, and overall, conduct business more efficiently.
Financial services firms are reluctant to take their operations to the cloud – will their fears and the reality about security in the cloud ever align?
It’s no secret that security is always top of mind for financial firms, and a growing number of major data breaches in the past few years are not making CIOS and IT Directors sleep better at night. Financial firms deal with some of the most highly sensitive data in the world, and a breach could instantly ruin the operation and reputation of their business.
Needless to say, banks and financial services firms aren’t exactly rushing to hand over some of their most important and confidential information to a third party technology vendor. The fact that many fintech solutions also operate with a foundation in the cloud only adds to the hesitation.
This reluctance by financial firms has many asking: How much is too much when it comes to security?
Trick question – you can never be too secure. According to a recent article from securityintelligence.com, the financial sector is one of the most targeted industries in the world, and breaches lead to considerable liabilities, dropped stock prices, and customers exposed to identity theft; no financial institution should be complacent when it comes to security. Firms should approach adoption of fintech with the understanding that most fintech providers are often even more prepared to deal with security threats than the financial institutions themselves.
Many fintech providers utilize a cloud service, like Amazon Web Services (AWS), to host and scale their technology using public servers. Despite the initial fear around a word like “public,” a reliable provider like AWS is designed to face numerous issues specific to the financial marketplace including security threats, technology disruption, and disaster recovery. Security, in particular, is an inherent component of AWS and many other cloud services.
“The financial services industry attracts some of the worst cyber criminals,” says Rob Alexander, CIO of Capital One, in a quote form AWS’ own web site. “We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers.”
Although the cloud has built-in security capabilities, fintech firms ensure protection of financial institutions by creating infrastructures that secure data at every point, from origin to destination, as well as architecture for compliance. They put effort into developing integrated and adaptive solutions as well as developing a relationship with IT professionals through exceptional service and support.
Financial institutions have the most to gain by finding a trusted partner to support their key business operations in the cloud, versus hosting the product or service on-premises.
It would take far too much time for a bank to build the kind of high-level security that fintech firms are building on their own, supported by the knowledge gained from working with hundreds of organizations. The right partner can not only provide economies of scale in terms of building a robust set of security capabilities, but they have the resources and knowledge to nearly eliminate security threats in relation to a specific service or application.
Companies like Cloud9 Technologies, a trader voice cloud-based communications provider designed to replace telephone-based trading hardware (turrets), are a great example of this advantage in action. Built on the Amazon Web Services cloud, we’ve enabled our service with two factor authentication and advanced voice encryption that secures calls in transit and also restricts unauthorized users from accessing recorded calls. These specific security measures take the unique needs of voice traders into account and provide financial institutions with a solution that is safer and more effective than legacy hardware or an on-premise system.
However, financial institutions should be cautious when considering technology solutions designed for the general enterprise. Taken from our own space in collaboration, for example, thousands of Slack access tokens were recently posted on Github, making it simple for hackers or automated scripts to access account details, some of which belong to Fortune 500 companies.
Using these tokens it would be possible to eavesdrop on a company, easily access internal chat conversations, and protected files. Bugs recently discovered in the Microsoft 365 system by two security researchers could have given hackers unrestricted access to any account under the system– including Skype for Business.
It’s a dangerous world out there for financial institutions, but the right partner can provide the best defense against security breaches. Fintech providers that fully understand and support the niche requirements of the industry will ultimately prove to be the best asset to financial institutions as they transition to the cloud. There is no such thing as too much security, and when it comes to safeguarding information in the financial services space, finding the right technology partner can make all the difference.
Get a quick introduction to the Cloud9 Application here.
One of the most underrated aspects of the upcoming Markets in Financial Instruments Directive (MiFID II) is the requirement for voice recording. The regulation, set to take effect January 3, 2018, states that if there is an intention to execute a trade, the entire dialogue and/or discussion must be recorded.
For many EU-based firms, this means significant steps must be made to ensure their trader voice technology is compliant; however, the transition process is proving more difficult than imagined.
This post references two articles in which Cloud9 President, Greg Kenepp shared his thoughts about the upcoming regulations as well as the solution needed to ensure compliance. Click to access the articles from MarketsMedia and Financial Technologies Forum.
Despite the postponement of MiFID II to January 2018, a recent study by Sapient Global Markets has found that only 10% of firms are claiming that they are “very ready” with solutions that ensure compliance with the new regulations. Although originally extended to allow businesses to implement the necessary technical improvements, experts are worried that the extra time might cause complacency.
Cian O’ Braonain, Director of the Regulatory Reporting Practice at Sapient, says “It’s inevitable that whenever the word ‘delay’ or ‘postponement’ is used there’s a natural temptation to ease off and become complacent because they now have 24 months to complete the project. That’s incredibly dangerous because The extra time should be used to understand the complexity, the IT requirements and also for testing and re-testing to ensure reporting completeness and accuracy.”
O’Braonain also warned of the danger that firms might not seek the most efficient solutions that can keep pace with the depth and breadth of MiFID II, let alone refinements to other regulations such as European Market Infrastructure Regulation. Even in the US, a solution must be able to adapt to changes in regulations such as the Dodd-Frank Act, which also contains mandates about when and what discussions must be recorded.
As President of Cloud9, Greg Kenepp, agreed recently, “Banks will need to work diligently over the next two years to ensure that their call recording practices go above and beyond what is required by MiFID II.”
Legacy trader voice options, like turrets, are a significant obstacle to this process, largely due to their inability to record all calls and messages as well as the inability to identify individuals on calls. This failure to reconstruct accurate conversations has companies seeking alternative technology.
The silver bullet solution needs to be able to cover the regulatory demands of MiFID, be adaptable to change in a number of trading compliance regulations, as well as meet the demand by traders for a system that supports both voice and digital communication.
The Cloud9 Solution
We have been incredibly proactive in meeting the regulations outlined in MiFID II, with call recording and retention already built into the application. Other features, such as rapid implementation and adaptability ensure that our Cloud9 users will be prepared for any and all compliance adjustments.
Current MiFID II rules require that 180 days of call and communications data to be retained by financial institutions, but it will eventually specify that firms must meet a mandatory requirement of five years of date recordings. Cloud9 gives firms the ability to define their own retention periods, and to download their own recordings. Compared to the difficult reconstruction of discussions using turrets, with Cloud9 compliance officers can easily identify which participants were involved with each trade.
In addition, these recordings are securely stored behind several layers of encryption on Amazon Web Services, keeping them from being tampered with or erased.
Since our application is hosted in the cloud, the implementation process is far less painful than that of a traditional telecom-based solution, which can take anywhere from a few weeks to a few months. Within minutes, a user can be connected to the Cloud9 Trader application, begin building out their contact list using the expansive network, and communicate with them.
The lack of any physical hardware is key to the efficient and effective implementation of a compliant trade communication system.
Another advantage of having a cloud-based solution is that any system updates can easily be rolled out across the entire user-base. When new regulations pass and an update is needed, companies do not have to worry about replacing an entire hardware infrastructure, they can simply download an updated version of Cloud9.
Do you need to prepare your company for compliance with MiFID II? Find out more about Cloud9 here.