SFC issues guidance on external electronic data storage

31 Oct 2019



The Securities and Futures Commission (SFC) today issued a circular to licensed corporations on the use of external electronic data storage providers (EDSPs) (Note 1).

The circular sets out requirements for when regulatory records (Note 2) are kept exclusively with an EDSP without a duplicate set of records at the premises of the licensed corporation, including the need to seek approval from the SFC (Note 3). It also conveys the SFC’s expectations for the mitigation of cyber and operational risks when electronic data storage is outsourced to an EDSP, regardless of whether regulatory records are kept with it exclusively.

"More financial institutions are using external electronic data solutions, including public and private cloud storage," said Mr Ashley Alder, the SFC’s Chief Executive Officer. "These services offer benefits such as scalability and cost savings, but firms which use them must ensure that the SFC’s access to regulatory records is not restricted or otherwise undermined."

In particular, the circular emphasises that the authenticity, integrity and reliability of regulatory records, as well as the ability to access them promptly, are crucial if the records are required to be produced in legal proceedings initiated by the SFC or the Department of Justice.

End

Notes:

  1. EDSPs include external providers of (a) public and private cloud services; (b) servers or devices for data storage at conventional data centres; (c) other forms of virtual storage of electronic information; and (d) technology services whereby information generated in the course of using the service is stored at the service provider or other data storage providers and can be retrieved by it.
  2. Regulatory records are the records or documents licensed corporations are required to keep under the Securities and Futures Ordinance (SFO) or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance.
  3. Under section 130 of the SFO, a licensed corporation shall not, without the SFC’s prior written approval, use any premises for keeping records or documents relating to the carrying on of the regulated activity for which it is licensed. 

 



Page last updated : 31 Oct 2019