On Feb. 3, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released reports regarding cybersecurity issues for brokerage and advisory firms, both of which should be considered required reading for chief information security officers, chief information officers, legal teams and anyone else responsible for managing cybersecurity risk. These reports highlight best practices for managing cybersecurity risk and areas for potential improvement, and should encourage firms to consider further investments in cybersecurity because, as FINRA specifically points out, it ‘‘expects firms to consider the principles and effective practices presented in the report as they develop or enhance their cybersecurity programs.’’ As a result, firms should anticipate that elements covered in the reports will be benchmarks for measuring the effectiveness of a firm’s cybersecurity program in any enforcement action brought by either the SEC or FINRA. The SEC’s National Exam Program Risk Alert, ‘‘Cybersecurity Examination Sweep Summary,’’ summarizes the cybersecurity policies and practices of 57 registered broker dealers and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE). FINRA’s more detailed ‘‘Report on Cybersecurity Practices’’ also summarizes cybersecurity programs at a broad array of firms, but it goes further, making the FINRA report particularly important for a number of other reasons. First, the report makes clear that FINRA has been active in bringing cybersecurity-related enforcement actions against both firms and individual executive officers when customer data are put at risk or compromised. Careful review of these case studies highlights factors that FINRA considers important in determining whether firms have satisfied their cybersecurity obligations. Second, the report sets out a series of detailed principles and effective practices for risk assessments, incident response plans and governance, among others. These principles and practices offer a road map for cybersecurity planning and risk management and establish baseline standards to which FINRA will hold firms accountable. Finally, the report provides very specific recommendations that firms can operationalize, demonstrating FINRA’s sophistication in cyber and data security matters.

Originally published in Bloomberg BNA's Privacy & Security Law Report, 14 PVLR 580, 04/06/2015.