This past June, the SEC fined JP Morgan $4m for deleting 47 million communication records. It doesn’t appear that JP Morgan intended to delete the communications, as the fault appears to have been with JP Morgan’s 3rd party journaling vendor. However, the deletion was permanent, meaning that these emails weren’t recoverable, and JP Morgan hadn’t performed proper Disaster Recovery testing to ensure the records were being properly protected.
This isn’t purely a compliance issue – it’s predominantly a Disaster Recovery error. As such, it is critical to ensure that Disaster Recovery Testing includes all data – especially data that is considered to be immutable, like emails. We find that many companies only test the data stored by their IT managed service provider – for example, their Microsoft cloud data (e.g., M365) – and not the many other cloud-based systems that they use, whether that be another cloud data vendor like Dropbox, or in the hedge fund space, a post-trading reconciliation system. Moreover, in many instances, PE firms and their vendors are required to delete this data because of due diligence covenants – which should also be tested.
So, what is the lesson? People trust their vendors blindly, but the fact is that all of them need to be incorporated into your Disaster Recovery Testing process, and not just focus testing on your main cloud vendor. You must know what your regulatory data retention requirement is on all of them – and routinely test each one to ensure that historical data is, in fact, being backed up properly.