Just as accounting scandals earlier this decade led to new regulations like Sarbanes-Oxley, last year’s global financial meltdown coupled with Democratic control of the White House and Congress seems like a recipe for a host of new compliance regulations — and thus more business for storage vendors and more work for storage administrators.
But the changes won’t stop with an Obama presidency and the 111th Congress. The leaders of the Group of 20 industrial and emerging countries (G-20) have been meeting to consider global regulations aimed at raising bank capital standards and regulating hedge funds, with European leaders at the forefront of the new financial market regulation.
While it might be years before all this results in any kind of international consensus, another round of regulation is almost certainly at hand.
“It is extremely likely that we will see more regulation in the financial markets as a result of the current economic crisis,” said Brian Babineau, an analyst with Enterprise Strategy Group. “In addition, a Democratic president with a Democratic legislation is likely to increase regulation on other industries, including healthcare. The interesting thing to watch will be what rules are put into place when the government bails out other industries like the automotive sector.”
Regulations to improve corporate governance and transparency will likely be at the forefront of regulatory efforts, which will have consequences for data storage and management.
“An increased focus on governance usually means that companies will have to create more business records and save them for extended periods of time,” said Babineau. “Because much of today’s business records are created electronically, this should drive storage demands.”
A few years ago, for example, legislation such as SOX and SEC Rule 17a-4 raised the importance of information storage in auditing, as organizations were forced to save more data for longer periods of time. SEC Rule 17a-4, in particular, included a non-eraseability and non-rewriteability requirements for storing business records. This opened the door to disk-based storage, moving archival storage beyond optical or tape systems.
“While many view 17a-4 as a financial services industry-specific rule with limited influence outside of Wall Street, the reality is that this regulation instantiated disk as suitable medium for the strictest record retention regulations,” said Babineau. “As such, companies began altering archiving strategies from ones that centered on backup software and tape or optical devices to ones that incorporated purpose-built archive software and disk systems. Compliance officers, records managers, internal auditors, corporate counsel and other business constituents joined IT in making these investment decisions, and storage was now on their radar screen.”
Audit Logging Could Be Targeted
SOX and other regulations like FRCP stimulated interest in the archive and nearline disk market and exposed tape media’s shortcomings for meeting search and audit requests.
“Generally, additional regulation mandates that organizations have to demonstrate their ability to reproduce transactional records within a specified timeframe when requested,” said Brian Kelly, an executive at Ernst and Young Global Ltd. “After the failure of some major organizations to respond to such audit requests, an overhaul of the archival process was mandatory.”
This led storage vendors to introduce disk-based nearline storage products as well as regulatory compliance-specific products such as EMC (NYSE: EMC) Centera Compliance Edition. That effectively began the trend toward a tiered hierarchy, with disk occupying at least tier one and two, with tape relegated to either tier three or off-site archiving.
“A new storage tier was introduced, and even within the nearline category, different storage technologies are delivering different SLA to respond the relevant regulation,” said Kelly. “Additionally, advanced search tools were introduced to limit manual intervention in responding to any audit request.”
He points out one further area where current storage solutions tend to fall short, or which organizations generally do not do enough: logging.
“I have encountered many situations where logging is either not enabled or is limited and overwrites itself in a very short period of time,” said Kelly. “This makes troubleshooting and investigation very difficult … if not impossible.”
As a consequence, he expects emerging regulation to focus attention on organizations’ incident response and investigation programs. Directly or indirectly, this will require improvement in audit and logging programs and could potentially lead to the mandating of log retention for much greater periods of time than typically are retained today.
‘Compliance Tax’
Meanwhile, vendors are continuing to churn out offerings aimed at satisfying retention requirements for financial records, HR documents, executive communications and other sensitive information. Lumigent Technologies, for instance, offers finance controls monitoring for business applications that the company says drives down the cost of compliance.
Lumigent president and CEO John Capobianco founded the company after an experience in taking a company public a couple of years back. Annual spending in his finance department soared from $300,000 to $2.5 million, mostly to cover manual compliance reporting.
“This ‘compliance tax’ of roughly $2.2 million per year delivered exactly zero benefit for my products, my consumers, my employees, or my company,” he said. “Software can automate regulatory compliance tasks previously done by hand. Financial compliance control systems streamline compliance reporting, letting organizations dramatically reduce their compliance costs and focus their energies on satisfying customers and turning profits.”
Stories such as Capobianco’s abound, and anecdotes of companies avoiding U.S. financial markets to register overseas have become commonplace. The burdensome nature of SOX and its ilk not only failed to prevent financial catastrophe and reign in corporate shenanigans, its critics charge, but they have also made it much harder to do business in the U.S.
This has led to cries for the abolition of SOX from the likes of former Speaker of the House Newt Gingrich. He believes SOX has done more harm than good, is undermining the venture-capital industry in Silicon Valley and has led to many companies becoming private once again to avoid its shackles. Still, given the current financial crisis and the new Administration, it seems likely that compliance regulations will only get tougher.
“With respect to Mr. Gingrich, I can’t imagine popular opinion backing the repeal of SOX,” said Capobianco. “Overall, people are wary of Wall Street, and the bipartisan consensus this election year favors more regulation, not less. But even if SOX is replaced by smarter, less destructive regulations, organizations will continue to pay the hidden tax to demonstrate their compliance.”
Whatever lies just over the regulatory horizon, one thing is for sure: Storage administrators are going to end up with even more data to store, and storage vendors will benefit from a market driven by the need to comply.
“IT can help expedite compliance,” said Babineau. “Storage is an integral part of many compliance-related business process solutions because it is the final resting place for vital data. It also replaces the paper box as the resting place for business records which need to be created and retained for years.”