SEC Compliance and Storage Management

With news of current corporate misconduct, accounting dishonesties, and previously unheard of corporate bankruptcies, regulatory and compliance concerns are taking on a new meaning. Corporations must protect themselves against litigation as never before. Consequently, storage administrators find themselves increasingly responsible for understanding the needs of the business in addition to such tasks as making sure capacity is available to users and applications. One area of specific concern especially to members of the stock exchange, brokers, and dealers but also to all companies listed on the exchange is the Securities and Exchange Commission's (SEC's) Rule 240.17 a-4(f), which outlines SEC regulations regarding management of and access to electronic records.

The numerous articles in the SEC Rule include provisions for managing classified electronic records that pertain to ongoing business or that have legal or compliance value. The business email messages that take place among brokers, dealers, and their customers are an excellent example of such records. Not only is the volume of email growing rapidly and significantly, the storage capacity needed to store these messages and attachments is increasing at an even faster pace because of rich media attachments.

In the 1930s, when the SEC first set parameters for maintaining and preserving records of transactions, the commission couldn't have imagined anything like the volume of electronic records and storage-management tasks that would accompany today's deluge of data. Since the original act, the SEC has updated its rules to emphasize several key points related to records retention. Although companies must meet many requirements that are part of Rule 17a-4(f), those of specific interest to storage administrators include these two: "Preserve the records exclusively in a nonrewriteable, nonerasable format," 17a-4(f)(2)(ii)(A), and "Store separately from the original a duplicate copy of the record stored on any medium acceptable under 240.17a-4 for the time required," 17a-4(f)(3)(iii). Numerous other requirements defining access to records and indexes associated with the records require not just sophisticated records-management software, but storage-management software as well.

The first requirement of the two requirements noted deals not only with media formats (nonrewritable, nonerasable) but also with retention periods. The rule requires that companies retain electronic records for 3 years (retention protection). "Nonrewritable, nonerasable" has traditionally meant write once, read many (WORM) optical media. Although debate periodically surfaces as to whether optical technology has a future, it remains one of the better, more cost-effective choices of media for SEC compliance. Although Network Attached Storage (NAS) is a potential replacement for optical storage because of its fast-access, near-line capabilities, NAS doesn't meet the "nonrewritable, nonerasable" requirement. In addition to optical, several WORM-tape solutions have evolved over the past few years (e.g., Sony's AIT WORM, StorageTek's Volsafe media) that let customers meet SEC requirements. EMC has also brought out a new content-addressable storage device called Centera (nonrewritable), designed specifically for fixed content.

Retention protection means that during the specified retention period, it's impossible to delete or otherwise destroy electronic media. In the case of WORM media, companies can't destroy that media until they've retained each individual record on the specific piece of media for the time period the SEC specified.

The second requirement quoted above, regarding duplicate copies, mandates that SEC compliance involves keeping two copies of each electronic record on an accessible storage medium. In addition to these two copies of each piece of data, many sites require an additional copy of the same data for disaster recovery protection. Retention periods the SEC requires for compliance might differ from retention periods a company requires for disaster recovery and general recovery purposes.

The obvious conclusion: A company must maintain solid storage management, especially with respect to electronic records. The number of copies of email that a business must manage to ensure SEC compliance and provide adequate disaster-recovery protection is only one facet to the need for solid storage management. In addition, other SEC Rules governing the need for record and index availability mean that any application-management software must provide functionality to access data and must interact with storage management applications to ensure data availability. As more and more electronic records and attachments fall into categories that SEC Rule 17a-4(f) governs, storage administrators whose companies must comply will find themselves not only managing storage, but also becoming more familiar with specific business and compliance needs.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.