The Financial Industry Regulatory Authority (“FINRA”) released its annual Regulatory and Examination Priorities Letter on January 5, listing cybersecurity as a 2016 examination priority.1 This letter broadly identifies new and recurring areas of concern important to FINRA’s regulatory programs and investor risk protection, including cybersecurity risk management and preparedness. Though cybersecurity has received strict regulatory scrutiny in 2015,2 the inclusion as a 2016 priority indicates that it will continue to be a top area of concern in the year ahead.
Among its objectives to generally focus on supervision, risk management, and controls within firms, FINRA specifically notes its continued emphasis on ensuring cybersecurity defenses in light of the persistence and evolving nature of cyber threats and the continued lack of preparedness among firms. Firms are particularly prone to risks from:
-
unapproved internal and external access to client accounts;
-
unsecure online trading systems and asset transfer systems; and
-
improper management of firms’ vendor relationships.
As a result, FINRA intends to “review firms’ approaches to cybersecurity risk management,” including the examination of firm processes and controls related to:
-
governance;
-
risk assessment;
-
technical controls;
-
incident response;
-
vendor management;
-
confidentiality of sensitive customer information;3
-
data loss prevention;
-
trading system accessibility; and
-
staff training.
Going forward, firms should note this extended regulatory focus and continue to update and enhance their comprehensive information security programs which should already be in place.4