Photo of Emily P. Gordy

Emily advises her clients as they navigate the complexities inherent in the securities regulatory environment. Drawing on her wealth of experience as a regulator, she handles a wide range of compliance and enforcement issues affecting broker-dealers, investment advisers, investment companies, and municipal securities dealers.

FINRA’s examination program has undergone its most significant reorganization in decades. As stated in a press release, Oct. 1, 2018, FINRA’s goal for the reorganization was to “consolidate its Examination and Risk Monitoring Programs, integrating three separate programs into a single, unified program to drive more effective oversight and greater consistency, eliminate duplication and

On January 7, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released its 2020 examination priorities.  OCIE is prioritizing practices, products, and services that it believes present heightened risks to investors or market integrity.  The examination priorities are organized around seven themes, many of which build on OCIE’s priorities

FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.

FINRA Changes Approach in Communicating Exam Results 

This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.”
Continue Reading Cybersecurity Best Practices: FINRA’s 2019 Exam Observations

On May 21, the North American Securities Administrators Association (NASAA)—an organization comprised of 67 securities regulators within the United States (all fifty states as well as districts and territories), Canada, and Mexico—released a model cybersecurity rule package governing state-registered investment advisors’ cybersecurity and privacy practices.  The model rule package, which would need to be adopted by an individual state so as to become law in that jurisdiction, provides a structure for how state-registered investment advisers must design their information security policies and procedures.
Continue Reading North American Securities Administrators Association (NASAA) Releases Model Cybersecurity Rule

On April 16, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers.  Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy.  The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems.  Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.
Continue Reading SEC OCIE Highlights Potential Deficiencies in Firm Privacy Policies

Penetration testing or conducting a pen test can be a key element in a firm’s arsenal to protect itself against cyber intrusions. Firms use pen tests to test potential vulnerabilities of their networks, determine where there may be gaps, and assess their cybersecurity defenses. Today’s post is the fourth in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first, second, and third posts on cybersecurity practice impacts.
Continue Reading FINRA’s 2018 Report on Cybersecurity Practices: Cybersecurity and Pen Testing: Why Go Looking for Trouble?

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first and second posts on cybersecurity practice impacts.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA).
Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Insider Threats If Your Program Only Focuses on External Threats, You are Only Halfway There

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.   
Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication.
Continue Reading FINRA Issues 2018 Report on Selected Cybersecurity Practices