Cybersecurity and technology governance remain a top area of focus for the SEC and FINRA, as the regulators continue to concentrate on improving the overall cybersecurity posture and resiliency of the financial sector. FINRA covered this in its 2022 Report on its Examination and Risk Monitoring Program. The SEC is also implementing a campaign to overhaul the agency’s expectations around cybersecurity and cyber incident reporting for the financial services industry and corporate America generally.
FINRA “expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.” FINRA also spotlights the risks posed by technology-related programs (e.g., change and program management practices and increased trading volumes) that can “expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations.” FINRA specifically mentioned Rules 3110, 4370, and 4511 and SEC Rules 17a-3 and 17a-4.
FINRA’s primary theme across this focus area relates to the sufficiency of internal processes, procedures, and controls. FINRA laid out various related regulatory obligations and considerations and effective communications practices extracted from exam findings, some of which we summarize below. Many of these focus areas are consistent with the SEC’s cybersecurity initiatives for registrants, particularly as it relates to modernizing Regulation S-P and addressing cybersecurity risk presented by service providers. Firms should take note of the expanding priorities related to cybersecurity and resiliency and use the SEC’s recent remarks and the FINRA Report as a roadmap to ensure that they satisfy existing regulatory obligations and are well-positioned to address new regulatory expectations that will surely take form.
New FINRA Focus Areas:
- Establishing and maintaining (A) adequate and ongoing risk assessment processes for cyber and IT risks (e.g., testing of implemented controls and conducting regular penetration testing); and (B) data loss prevention programs, including encrypting all confidential data (e.g., non-public customer information, SSNs, and other account profile information) and sensitive firm information.
- Monitoring and testing the capacity of online systems (e.g., tracking average and peak utilization and system changes), including to anticipate the need for additional resources based on increases in accounts or trading volumes.
- Requiring customers to use multi-factor authentication to access their online accounts.
Not New, But Certainly Still Top-of-Mind:
- Providing ongoing, relevant (i.e., to roles and responsibilities), and comprehensive training on cybersecurity risks to registered representatives, other firm personnel, third-party providers, and consultants.
- Implementing controls related to (A) vendor management, including documenting formal policies and procedures to review cybersecurity controls of prospective and existing vendors and managing the lifecycle of all vendor engagements from onboarding to off-boarding (e.g., how vendors dispose of non-public client information), including ongoing monitoring; and (B) access, such as (i) granting system and data access only when required and ensuring that access is removed when no longer needed (i.e., “policy of least privilege”); (ii) limiting and tracking individuals with administrator access; and (iii) MFA for registered representatives, employees, vendors, and contractors.
- Sufficient supervisory oversight for application and technology changes (e.g., upgrades, modifications to or integration of firm or vendor systems).
- Establishing and regularly and adequately testing: (A) for changes and system capacity issues in order to avoid malfunctions related to order management systems, online account access, and trading algorithms; and (B) a written formal incident response plan that sets forth procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track, and close cybersecurity-related incidents.
- Implementing change management procedures to protect non-public information and firm services.