FINRA held its bi-annual Cybersecurity Conference in January and recently published five take-away real-world experiences from the conference:

• A firm’s social media posts about a charity golf tournament, tipped the scammers when to send an urgent email changing wire instructions, while most of the firm’s management was out on the course;
• A thumb-drive planted in a parking lot labeled “bonuses,” “payroll,” or “commissions” proved bait too tasty for a firm’s personnel to resist;
• Even the best vendor-based data systems have hidden vulnerabilities lurking among users, interface and reporting systems on the firm/client side;
• An hour-long table-top incident-response drill that actually locked the C-suite participants out of their network drove home the point, increased buy-in and led to process improvements far above a merely academic exercise;
• Multi-factor authentication doesn’t always work, as a firm found when a phishing attack hacked a trusted device to gain access to customer accounts.

The blog post from the conference is here and it provides links to the conference materials and FINRA’s cybersecurity page, too.

Cybersecurity continues as a top priority for both SEC and FINRA exam programs.

SEC OCIE Priorities.

For the SEC, cybersecurity appears twice among the SEC’s priorities for 2020, first as “information security” and again under the FinTech and Digital Assets categories. OCIE broadly emphasizes culture, tone at the top and empowering compliance across seven broad categories:

1. Retail investors and seniors, especially regarding disclosures and conflicts of interest, and the implementation Regulation Best Interest (“Reg. BI”).
2. Information Security.
3. FinTech, including how registrants deal with digital assets, robo-advice and cyber-security.
4. Risk-based focus areas:

   (a) For RIAs, New or never-examined RIAs, especially (i) governance / risk management; (ii) access controls; (iii) data loss prevention; (iv) vendor management; (v) training; and (vi) incident response / BCP.

   (b) For BDs, Reg. BI/CRS

   (c) For Municipal Advisors, compliance with the still-relatively-new MA regulatory regime.

5. Anti-Money-Laundering compliance.
6. Market infrastructure for clearing agencies, exchanges, and transfer agents, including Reg. Systems Compliance and Integrity (“SCI” – another manifestation of information security).
7. Regulating the regulators through oversight of FINRA and MSRB.

During FY 2019, of 3,089 exams conducted by OCIE, over 2,000 (65%) yielded deficiency letters and over 150 (5%) caused enforcement referrals. OCIE’s exam priorities are here.

FINRA’s Exam Priorities.

FINRA’s 2020 Risk Monitoring and Examination Priorities Letter mirrored those same concerns and highlighted four broad categories:

1. Sales Practice & Supervision
   a. BI and Form CRS (compliance deadline June 30, 2020). See FINRA’s Reg. BI/CRS Checklist, here.
   b. Private Placement Retail Communications … 1st Global, Woodbridge, low-interest-rate environment
   c. Digital Communication Channels
   d. IPOs
   e. Trading Authorizations
2. Market Integrity
   a. Direct Access
   b. Best Execution, also the subject of FINRA’s recent targeted exam letter, discussed here.
3. Financial Management
   a. Digital Assets
   b. Liquidity Management
   c. LIBOR to SOFR Transition (with its end-2021 compliance deadline)
4. Operations
   a. Cybersecurity
   b. Technology Governance

FINRA’s exam priorities letter is here.

[View source.]