The Financial Industry Regulatory Authority (FINRA) is ramping up on their commitment to assist the industry in its cybersecurity compliance efforts. Recent guidance to the industry from FINRA includes:
- an Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (FINRA included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets); and
- the 2018 Regulatory and Examination Priorities, in which, notably, FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report.
FINRA called out cybersecurity, in its Examination Findings Report, as one of the “principal operational risks facing broker-dealers.” While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing “cutting-edge cybersecurity programs.”
FINRA detailed areas in which they observed in the examinations that firms’ cybersecurity programs were either effective or deficient. Reviewing the positives and negatives provides valuable information for firms looking to shore up their cybersecurity programs.
Examples of Effective Practices Include:
- Escalation Protocols: Have an escalation process that ensures appropriate level at the firm is apprised of issues to ensure attention and resolution.
- Plans to Resolve Issues: Implement detailed resolution steps and time frames for completion.
- Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests.
- Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training.
- Branch Office Reviews: Include cybersecurity focused branch exams to assess risks and identify issues.
- Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools.
Examples of Deficient Practices Include:
- Failure to Follow Access Management Steps:
- Not immediately terminating access of departing employees.
- Failing to have processes to monitor or supervise “privileged users” to identify unusual activity (e.g., assigning extra access rights, unauthorized work outside business hours, or logging in from different geographical locations at or about the same time).
- Infrequent or No Risk Assessments:
- No formal risk assessment practices.
- Unable to identify critical assets or potential risks.
- Informal Processes for or Lack of Vendor Management:
- Failed to have formal processes to assess vendor’s cybersecurity preparedness;
- Failed to include required notification of breaches involving customer information in vendor contracts.
- Noncompliant Branch Offices:
- Failed to manage passwords.
- Failed to implement security patches and software updates.
- Failed to update anti-virus software.
- Lacked control of employee use of removable storage devices.
- Use of unencrypted data and devices.
- Failed to report incidents.
- Segregation of Duties:
- Failed to segregate duties for requesting, implementing, and approving cyber-security rules and systems changes.
- Data Loss Prevention:
- Lack of rules to ensure all customer sensitive information is covered.
- Permitted or failed to block large file transfers to outside or untrusted recipients.
- Failed to implement formal change-management processes for data loss prevention systems changes.
FINRA’s 2018 Examination and Regulatory Priorities also include cybersecurity as a priority area. In addition to the areas noted above, which FINRA also calls out in the Priority Letter, FINRA noted two additional themes. One, they will evaluate the effectiveness of firms’ cybersecurity programs in protecting sensitive information. Two, FINRA also reminds firms that they need policies and procedures to determine when a Suspicious Activity Report should be filed regarding a cybersecurity event. (See, FinCEN’s Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, Oct. 25, 2016.)
Conclusion
FINRA reminds firms that, while exam deficiencies must be addressed, firms often benefit from “proactively” remediating issues before the exam is completed. Acting proactively strengthens firms’ programs and enhances regulatory protections. Our observation, as outside counsel, is that when firms take proactive steps to get ahead of issues, it demonstrates to the regulators that the firm has a commitment to a strong compliance program and, in the right circumstances, may have a material impact on how FINRA decides to resolve an issue.
The information FINRA provides in the Examination Report and Priorities Letter provide roadmaps to enhancing overall compliance, supervisory, and risk management programs. With regard to the focus on cybersecurity, by using this resource, firms can effectively prepare for examinations and potentially prevent program gaps and avoiding cybersecurity incidents.