As a former FINRA Enforcement lawyer and Regulatory Specialist on FINRA’s Cybersecurity and Information Technology Disposition Group, I can say unambiguously that cybersecurity is top-of-mind with FINRA, the U.S. private sector regulator of the securities industry. Cybersecurity examinations are on the rise in 2016, and the trend is very likely to escalate in 2017.
Step back to February 2015. FINRA issued its Report on Cybersecurity Practices, which shined a regulatory spotlight on cybersecurity. FINRA’s Report provides a framework of principles and practices for firms to countermeasure against cybercriminals who target the securities industry for illicit monetary gain.
Since early 2015, FINRA has placed cybersecurity squarely in its examination cross-hairs. This year, FINRA issued its 2016 Regulatory and Examination Priorities Letter and announced that it would review firms’ approaches to cybersecurity risk management.
What are the "red flags" FINRA examiners are looking at?
So, what’s under the cybersecurity examination microscope? Undoubtedly, governance, risk assessment, technical controls, incident response, vendor management, data loss, and staff training. Examiners will also look deeper for “red flags” of inadequate cybersecurity written policies and procedures, lax cybersecurity with vendors, and weaknesses in safeguarding customer information and assets.
It is imperative that firms conduct and document a cybersecurity risk assessment, before encountering an examination. Otherwise, firms will be in an untenable position trying to explain the rationale of its cybersecurity program or – worse yet – why the firm has no cybersecurity program.
Violations can escalate from informal resolution to formal enforcement actions
Ultimately, violations of FINRA and SEC rules – such as FINRA Rule 3110 (supervision) and Rule 30 of SEC Regulation S-P (safeguarding customer records and information) – can result in disciplinary action. Although a significant number of disciplinary actions are resolved informally – through cautionary action letters – serious and egregious violations often escalate to formal enforcement actions resulting in hefty fines and sanctions.
Recently, FINRA imposed a $225,000 fine against a firm for failing to establish and maintain a supervisory system reasonably designed to safeguard confidential customer information, in violation of FINRA and SEC rules. A firm employee lost an unencrypted laptop containing highly sensitive, personal and confidential information of over 352,000 customers. In sanctioning the firm, FINRA reasoned that the firm’s written supervisory procedures “did not address the technology in use, specifically laptops” and the firm “failed to take appropriate technological precautions to protect customer and highly sensitive information.”
Because cybercrime is a central threat to investor protection, and nearly two years have passed since FINRA’s Report on Cybersecurity Practices, FINRA will undoubtedly raise intensity on cybersecurity compliance, likely resulting in increased disciplinary actions and sanctions for violations of FINRA and SEC rules.
The unanswered question is: Are firms ready?
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies
- FINRA Imposes Fines Against 12 Firms for Cybersecurity Violations
- OCC Announces Long-Awaited Fintech Charter Decision
- FCC Adopts New Consumer Privacy Rules for Internet Service Providers
- New York Announces Proposed “Groundbreaking” Cybersecurity Regulation for Financial Institutions
- Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA)