Is Google Cloud SEC-compliant?

img blog Security Compliance 05

Many registered investment advisors (RIAs) and financial advisors use the Google Cloud Platform for email and data storage. This is because Google’s services are often more secure and reliable than traditional on-premises solutions. But can RIA and financial advisory firms be certain that their communications and data in Google Cloud are safe and compliant with relevant regulations and guidelines?

In this article, we’ll explore how Google Cloud, when properly configured and used, can help RIAs and financial advisors like you comply with the Securities and Exchange Commission’s (SEC) requirements.

SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c)

Financial service institutions based in the United States are subject to a number of regulations with specific requirements on electronic records retention. These requirements include how long records must be kept, what format they should be kept in, and how easily they can be accessed in the event of an audit, among others.

For example, under SEC Rule 17a-4(f), organizations must preserve certain records in a non-rewritable and non-erasable format — often referred to as “write once, read many,” or WORM format — for at least six years. Similarly, CFTC (Commodity Futures Trading Commission) Rule 1.31(c)-(d) requires firms to retain records related to commodity futures and options transactions in a format that cannot be altered, for at least five years.

Meanwhile, FINRA (Financial Industry Regulatory Authority) Rule 4511(c) specifies that organizations must keep customer account information, including communications and transactions, for at least six years, in a format and medium compliant with SEC Rule 17a-4. And if the records pertain to an account that is still active, they must be kept for as long as the account remains open and six years following account closure.

To meet these requirements, your RIA or financial advisory firm can take advantage of Google Cloud Storage Bucket Lock. This feature prevents objects in your Google Cloud Storage buckets from being modified or deleted for a certain amount of time, providing a WORM-compliant solution for long-term data storage and retention.

You can find the steps for configuring Bucket Lock here. If you aren’t familiar with Google Cloud Storage and would rather have a certified professional do it for you, you can engage a Google Partner to configure Bucket Lock instead. They can help you ensure that your data is properly stored and secured, and that your organization meets all relevant compliance requirements.

SEC Regulation SCI

In 2014, the SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) to address “systems compliance and integrity risks” in the securities markets.

Under the regulation, organizations that process accounting or financial information themselves or on behalf of their clients must establish, maintain, and test policies and procedures for the effective operation and monitoring of their systems. They must also have procedures in place for taking corrective action if any issues are identified and for promptly notifying the SEC of any significant problems.

Google Cloud can help your RIA or financial advisory firm meet these obligations through a number of features and services. For instance, Google’s global infrastructure is designed for high availability and can help ensure that your systems remain operational in the event of a natural disaster, a public health crisis, and any other wide-scale disruption. Google also tests its business continuity and disaster recovery plans regularly, so you can be confident that your data is safe and accessible following an emergency or unforeseen outage.

In addition, Google Cloud delivers cutting-edge security capabilities, such as identity and access management, data encryption, and malware prevention, to help you protect your systems and data from unauthorized access and malicious attacks. If any issues or potential incidents are detected, Google’s incident response team will immediately take corrective action and notify you of the situation.

Finally, Google applications, systems, and services undergo regular reviews by both internal and external auditors to verify compliance with industry-standard security and privacy requirements. And by offering continuous assistance and support, Google can help you ensure that your own systems and processes meet the SEC’s requirements under Regulation SCI.

All your RIA or financial advisory firm has to do is put the proper policies and procedures in place and utilize Google Cloud’s compliance-related features and services. Having an IT partner that knows the ins and outs of Google Cloud and how its features help RIAs, in particular, can be invaluable in getting everything set up correctly. They can also assist you with ongoing compliance monitoring and provide guidance if there are any changes to the SEC’s rules or regulations.


The Sarbanes-Oxley (SOX) Act of 2002 is a federal law that mandates organizations to observe certain practices in financial record keeping and reporting. Specifically, SOX Section 404 requires organizations to establish and maintain internal controls over their financial reporting processes, and to review these processes regularly. And while SOX compliance is typically associated with larger public companies, it also applies to private companies that process accounting or financial information on behalf of their clients.

If your RIA or financial advisory firm falls into this category, then you need to take steps to ensure that the specific Google services you use meet SOX obligations. This could mean, for example, implementing Google’s security and access controls to restrict who can view or modify financial data stored in your firm’s Google Docs, Sheets, and Drive files. Or, it might involve setting up auditing and logging to track changes made to this data over time.

But even though Google offers a number of services, features, and controls that can help you comply with SOX and other regulations, you still need to configure and use these correctly in order to achieve compliance. That’s why it’s crucial to partner with IT professionals who have experience working with RIA and financial advisory firms, like our team of experts at RIA WorkSpace. We can help you assess your specific needs and ensure that you’re using Google Cloud in the most secure and efficient way possible.

Contact us today to learn more about how we can help make sure your IT infrastructure is compliant with SEC regulations.