On January 8, 2018, the Financial Industry Regulatory Authority (“FINRA”) published its 2018 Regulatory and Examination Priorities Letter, which provides an overview of particular areas of regulatory focus in the upcoming year. Under the category of operational and financial risks, FINRA specifically identifies cybersecurity as a high-priority area that member broker-dealer firms “may wish to consider as they identify opportunities to improve their compliance, supervisory and risk management programs” and commends the firms that have already devoted resources to this important area. The letter notes that FINRA will assess the effectiveness of member firms’ cybersecurity programs at guarding sensitive information (including personally identifiable information) as well as such firms’ cybersecurity preparedness, technical defenses and resiliency measures. FINRA also reminds member firms that they are required to have policies and procedures in place to evaluate whether a suspicious activity report must be filed with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) upon identification of a cybersecurity incident. The letter also advises review of the 2017 Report on FINRA Examination Findings for further information about FINRA’s cybersecurity concerns and observations regarding effective cybersecurity practices.
FINRA conducts periodic examinations of each of its member firms at least once every four years for compliance with securities rules and regulations and prepares a report identifying issues for remediation which it makes available to each examined member on a private basis. On December 6, 2017, FINRA issued for the first time a report summarizing high-level observations on its examination findings for the preceding review cycle to serve as an additional resource to member firms seeking to improve their compliance and risk management programs and address particular areas for improvement in advance of their own examinations. FINRA explains that the report merely “describes certain practices that FINRA has observed to be effective” and clarifies that it will not require members to implement the specific practices described in the report.
The first observation in the report is dedicated to cybersecurity, which FINRA describes as “one of the principal operational risks facing broker-dealers.” The report summarizes Rule 30 of Securities and Exchange Commission Regulation S-P, which requires broker-dealers, investment companies and investment advisers to adopt written policies and procedures addressing safeguards for the protection of customer information and records. The report goes on to note that evaluated firms with effective cybersecurity programs shared the following characteristics: (i) they established strong governance structures and procedures for risk management (and treated cybersecurity risks within that framework), (ii) escalated potential threats and risk assessment and acceptance to appropriate levels, (iii) conducted periodic risk assessments with concrete and time-limited follow-up responses, (iv) performed periodic vulnerability and penetration tests, (v) implemented frequent role-specific and role-agnostic employee cybersecurity training and testing and (vi) engaged in detailed branch cybersecurity reviews where appropriate.
The report also identified commonly observed areas for improvement, including (i) promptly terminating departing employees’ access to firm systems and implementing access management processes to detect anomalies such as concurrent log-ins or unauthorized off-hours work, (ii) adopting formal procedures for risk assessments as well as the identification of critical firm assets and potential risks thereto, (iii) adopting formal procedures for review of vendors’ cybersecurity practices and policies, including breach notification obligations, (iv) where the member firm is contracting with a parent entity for cybersecurity services, sufficiently documenting the provision of such services, for example pursuant to a service-level agreement, (v) ensuring branch offices maintain the same level of cybersecurity as the home office, (vi) with respect to certain small and medium-sized member firms, segregating the responsibilities for requesting, implementing and authorizing changes to cybersecurity rules and systems, such that a single party such as an application developer or network engineer could not make unilateral changes without appropriate oversight and (vii) strengthening existing data loss prevention procedures, such as by expanding rules that prohibit transmission of social security numbers to encompass financial account numbers and creating thresholds for file transfers that would flag or prevent transfers above a certain size to unauthorized outside recipients. The report includes a reference to FINRA’s cybersecurity subpage (link below) which contains additional information on cybersecurity, including a checklist for small-sized member firms.
The full text of the FINRA 2018 Regulatory and Examination Priorities Letter is available here.
The full text of the 2017 Report on FINRA Examination Findings is available here.
The FINRA cybersecurity subpage is located here.