On December 6, 2017, the Financial Industry Regulatory Authority (“FINRA”) issued a report describing findings and observations from its member firm examination program (the “Report”). The Report, available here, is designed to serve as a resource for member firms to help assess their compliance processes by highlighting FINRA’s takeaways from recent exams. One of the topics covered in the Report is cybersecurity, which the Report states is “one of the principal operational risks facing broker-dealers.”
The Report notes that firms’ cybersecurity programs primarily are governed by SEC Rule 30 of Regulation S-P, which mandates that firms adopt written policies and procedures to protect customer information. The Report acknowledges that firms’ attention to cybersecurity issues has increased substantially over the past two years but the quality of risk management practices has varied. Firms that had robust cybersecurity programs “typically established strong governance structures and processes (scaled to the firm) that addressed cybersecurity in a risk management context” and “escalated risk acceptance decisions and problems to the appropriate levels for resolution, as well as to inform future program development.” Other hallmarks of effective cybersecurity programs included cybersecurity training and testing for employees and risk assessments that featured specific plans to address concerns.
The Report remarks on the evolving cyber vulnerability environment and identifies common cyber threats of the past two years, such as “phishing and spearphishing attacks, ransomware attacks and fraudulent third-party wires that frequently involve use of email or stolen customer or financial advisor credentials.” The Report highlights a few areas where member firms can enhance cyber defenses, including access management, vendor management, and data loss prevention.
With respect to access management, the Report notes that certain firms under examination “did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis.” Regarding vendors, the Report states that some firms did not have proper processes in place for assessing cybersecurity preparedness at vendors, pointing out that “some firms’ contracts with vendors did not address key questions such as the vendor’s responsibilities regarding notification to the firm in the event of a breach of customer or firm data.” On data loss prevention, the Report concludes that firms could enhance data loss prevention programs through improvements like “broadening rules that prevent transmission of Social Security numbers to include additional sensitive data such as customer account numbers” and “establishing thresholds to flag or block large file transfers to outside and untrusted recipients.”
The Report also features FINRA’s observations on a number of topics other than cybersecurity, including anti-money laundering compliance, product suitability, market access controls, and net capital and credit risk assessments. FINRA cautioned that the Report is not a comprehensive summary of all its observations across the industry and “should not be read as creating new legal or regulatory requirements or new interpretations of existing requirements.”
