At EquityTech Consulting, we understand the importance of adhering to the regulatory requirements within the financial sector. Recently, we had the opportunity to work with a private equity firm to ensure their Microsoft 365 (M365) environment complied with the SEC's rules on "retention of records relevant to audits and reviews". This rule mandates that firms retain all electronic records, including emails, documents, and communications, for a minimum of seven years. Here’s an overview of how we configured their M365 instance to meet these requirements.
Understanding the SEC Requirements
SEC Rule 17 CFR Part 210 is designed to ensure the integrity and availability of financial records come audit time. It requires organizations to retain electronic records in a format that prevents unauthorized alteration or deletion, ensuring these records remain accessible for regulatory review for seven years. Our client asked for our help to ensure they meet this requirement to protect themselves from potential compliance risks.
How We Configured M365 for 7-Year Data Retention
1. Assessing the Client’s Current M365 Configuration
Our first step was to conduct a thorough assessment of the client’s existing M365 setup. This involved:
- Reviewing Existing Retention Policies: We analyzed their current retention policies and identified any gaps between these policies and the SEC’s 7-year requirement.
- Data Inventory: We conducted a comprehensive inventory of all data types and communication channels in use, including emails, Teams messages, SharePoint documents, and OneDrive files.
2. Implementing Retention Policies in Microsoft 365 Purview
Using the tools available in M365’s Purview (A.K.A. Compliance Center), we established and managed retention policies across the relevant services.
- Creating a Retention Policy: We created a new retention policy that applied to all pertinent data, specifying a retention period of seven years.
- Email Retention: We ensured that the policy covered Exchange Online, so all emails were retained for the required period.
- Document Retention: We applied the policy to SharePoint Online and OneDrive for Business to ensure all documents and files were securely retained.
- Communication Retention: The policy was also extended to Teams, ensuring that chat messages and other communications were retained for seven years.
- Retention Labels: We used retention labels to categorize and apply specific retention settings to different types of data, especially sensitive financial records that required stricter controls.
3. Enabling Immutable Storage (Write-Once, Read-Many - WORM)
To comply with the SEC’s requirements, we implemented immutable storage to prevent unauthorized alteration or deletion of records.
- Immutable Storage in Exchange: We enabled Litigation Hold and In-Place Hold features in Exchange Online, ensuring that emails are stored immutably.
- SharePoint and OneDrive: We implemented Information Management Policies to enforce immutable storage for SharePoint and OneDrive, protecting documents from alteration or deletion before the retention period comes to an end.
4. Configuring Auditing and Monitoring
Ongoing monitoring and auditing are crucial for maintaining compliance. We set up the following:
- Audit Logs: We enabled audit logging across all systems, ensuring that all access, modifications, and deletions are tracked and regularly reviewed by the client's Managed Service Provider (MSP).
- Alerts: We configured alerts for any unusual activities, such as attempts to modify or delete data, that was subject to the retention policy.
5. Training and Awareness for the Client’s Team
To support ongoing compliance, we provided training and resources to the client’s team.
- Regular Training: We conducted training sessions to educate the client’s employees on the importance of record retention and how to handle records within the M365 environment.
- Policy Documentation: We provided clear documentation and guidelines on applying retention labels, managing records, and adhering to the set policies.
6. Regular Compliance Reviews
To ensure long-term compliance, we established a process for regular reviews with the collaboration of the client's MSP:
- Internal Audits: We recommended and continue to support periodic internal audits to ensure the M365 instance remained compliant with the 7-year retention rule.
- Third-Party Assessments: We also suggested third-party reviews to provide additional assurance and recommendations for ongoing compliance.
Conclusion
Through our work with this private equity firm, we demonstrated how EquityTech Consulting can effectively configure and manage a Microsoft 365 environment to comply with the SEC's retention of records rules. By implementing retention policies via Microsoft Purview, enabling immutable blob storage of records, and collaborating to set up auditing practices, we ensured that our client meets and will continue to meet the SEC’s 7-year data retention requirement.
Our proactive approach not only protects the firm from regulatory breaches but also enhances their overall data governance strategy. Compliance is an ongoing process, and with our help, this private equity firm is well-equipped to navigate the complexities of regulatory requirements, confident in the security and integrity of their financial and communication records.
Ready to ensure your organization meets SEC compliance requirements? Contact EquityTech Consulting today to learn how we can help you safeguard your data, streamline your processes, and stay ahead of regulatory demands.