Cybersecurity Still Top FINRA Operational Risk

Carlton Fields
Contact

Carlton Fields

[co-author: Gail Jankowski]

On January 4, the Financial Industry Regulatory Authority (FINRA) published its annual Regulatory and Examination Priorities Letter providing firms with information about areas FINRA plans to review in 2017 as well as observations resulting from examinations and other industry interactions. As the letter reflects, cybersecurity threats continue to be one of the most significant operational risks faced by firms.

While FINRA acknowledges that there is no one-size-fits-all approach to cybersecurity, its 2017 letter reinforces its commitment to advising an approach grounded in risk management and effective control mechanisms for maintaining firms’ security and integrity. Among the areas of focus are firms’ methods for preventing data loss and controls to monitor and protect data. Specifically, the letter emphasizes two shortcomings in the area of controls. The first is cybersecurity controls at branch offices, such as independent contractor branch offices, which FINRA has found to be weaker than those at firms’ home offices. FINRA has also observed insufficient controls in the areas of password protection, data encryption, portable storage devices, patches and virus protection, and the physical security of assets and data. The second shortcoming is in the area of obligations under Securities Exchange Act (SEA) Rule 17a-4(f), which requires firms to preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format. In this regard, FINRA noted that it recently brought enforcement actions against 12 firms for their failure to preserve broker-dealer and customer records in WORM format. FINRA also stated that it will prioritize its review of firms’ management of vendor relationships and advised firms that insider threats to cybersecurity are evolving to include more discreet sources of risk such as mobile employees and contractors.

FINRA’s 2017 letter aligns with the priorities laid out in both its 2016 Regulatory and Examination Priorities Letter and 2015 Cybersecurity Report, so firms can expect continued emphasis in the following areas of cyber and information security:

  • supervision
  • governance and risk assessment/management
  • implementation of technical controls
  • written and tested preparedness, defense, response, and recovery plans
  • employee training
  • management of vendor relationships
  • sharing threat intelligence
  • preservation of records
  • compliance with SEC Regulation S-P and Securities Exchange Act (SEA) Rule 17a-4(f)

The letter also announced plans to initiate off-site electronic information requests in an effort to supplement its traditional on-site cycle examinations. Given this continued prioritization of cybersecurity, it is likely that firms will receive more inquiries concerning their cybersecurity practices as part of these off-site examinations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:

Carlton Fields
Contact
more
less

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide