On January 4, the Financial Industry Regulatory Authority (FINRA) published its annual Regulatory and Examination Priorities Letter providing firms with information about areas FINRA plans to review in 2017 as well as observations resulting from examinations and other industry interactions. As the letter reflects, cybersecurity threats continue to be one of the most significant operational risks faced by firms.
While FINRA acknowledges that there is no one-size-fits-all approach to cybersecurity, its 2017 letter reinforces its commitment to advising an approach grounded in risk management and effective control mechanisms for maintaining firms' security and integrity. Among the areas of focus are firms' methods for preventing data loss and controls to monitor and protect data. Specifically, the letter emphasizes two shortcomings in the area of controls. The first is cybersecurity controls at branch offices, such as independent contractor branch offices, which FINRA has found to be weaker than those at firms' home offices. FINRA has also observed insufficient controls in the areas of password protection, data encryption, portable storage devices, patches and virus protection, and the physical security of assets and data. The second shortcoming is in the area of obligations under Securities Exchange Act (SEA) Rule 17a-4(f), which requires firms to preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format. In this regard, FINRA noted that it recently brought enforcement actions against 12 firms for their failure to preserve broker-dealer and customer records in WORM format. FINRA also stated that it will prioritize its review of firms' management of vendor relationships and advised firms that insider threats to cybersecurity are evolving to include more discreet sources of risk such as mobile employees and contractors.
FINRA's 2017 letter aligns with the priorities laid out in both its 2016 Regulatory and Examination Priorities Letter and 2015 Cybersecurity Report, so firms can expect continued emphasis in the following areas of cyber and information security:
- governance and risk assessment/management
- implementation of technical controls
- written and tested preparedness, defense, response, and recovery plans
- employee training
- management of vendor relationships
- sharing threat intelligence
- preservation of records
- compliance with SEC Regulation S-P and Securities Exchange Act (SEA) Rule 17a-4(f)
The letter also announced plans to initiate off-site electronic information requests in an effort to supplement its traditional on-site cycle examinations. Given this continued prioritization of cybersecurity, it is likely that firms will receive more inquiries concerning their cybersecurity practices as part of these off-site examinations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.