Going for Brokerages: FINRA and SEC Take Aim at Deficient Cyber Policies and Practices

Orrick, Herrington & Sutcliffe LLP

On Feb. 3, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released reports regarding cybersecurity issues for brokerage and advisory firms, both of which should be considered required reading for chief information security officers, chief information officers, legal teams and anyone else responsible for managing cybersecurity risk. These reports highlight best practices for managing cybersecurity risk and areas for potential improvement, and should encourage firms to consider further investments in cybersecurity because, as FINRA specifically points out, it ‘‘expects firms to consider the principles and effective practices presented in the report as they develop or enhance their cybersecurity programs.’’ As a result, firms should anticipate that elements covered in the reports will be benchmarks for measuring the effectiveness of a firm’s cybersecurity program in any enforcement action brought by either the SEC or FINRA. The SEC’s National Exam Program Risk Alert, ‘‘Cybersecurity Examination Sweep Summary,’’ summarizes the cybersecurity policies and practices of 57 registered broker dealers and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE). FINRA’s more detailed ‘‘Report on Cybersecurity Practices’’ also summarizes cybersecurity programs at a broad array of firms, but it goes further, making the FINRA report particularly important for a number of other reasons. First, the report makes clear that FINRA has been active in bringing cybersecurity-related enforcement actions against both firms and individual executive officers when customer data are put at risk or compromised. Careful review of these case studies highlights factors that FINRA considers important in determining whether firms have satisfied their cybersecurity obligations. Second, the report sets out a series of detailed principles and effective practices for risk assessments, incident response plans and governance, among others. These principles and practices offer a road map for cybersecurity planning and risk management and establish baseline standards to which FINRA will hold firms accountable. Finally, the report provides very specific recommendations that firms can operationalize, demonstrating FINRA’s sophistication in cyber and data security matters.

Originally published in Bloomberg BNA's Privacy & Security Law Report, 14 PVLR 580, 04/06/2015.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.