Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA): Shutts & Bowen LLP

Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA)

11.7.16 | shuttscybersec

Cybersecurity Programs at Securities Firms Under Increasing Scrutiny by FINRA, Florida CyberTech Blog, Kevin Rosen As a former FINRA Enforcement lawyer and Regulatory Specialist on FINRA’s Cybersecurity and Information Technology Disposition Group, I can say unambiguously that cybersecurity is top-of-mind with FINRA, the U.S. private sector regulator of the securities industry. Cybersecurity examinations are on the rise in 2016, and the trend is very likely to escalate in 2017.

Step back to February 2015. FINRA issued its Report on Cybersecurity Practices, which shined a regulatory spotlight on cybersecurity. FINRA’s Report provides a framework of principles and practices for firms to countermeasure against cybercriminals who target the securities industry for illicit monetary gain.

Since early 2015, FINRA has placed cybersecurity squarely in its examination cross-hairs. This year, FINRA issued its 2016 Regulatory and Examination Priorities Letter and announced that it would review firms’ approaches to cybersecurity risk management.

What are the "red flags" FINRA examiners are looking at?

So, what’s under the cybersecurity examination microscope? Undoubtedly, governance, risk assessment, technical controls, incident response, vendor management, data loss, and staff training. Examiners will also look deeper for “red flags” of inadequate cybersecurity written policies and procedures, lax cybersecurity with vendors, and weaknesses in safeguarding customer information and assets.

It is imperative that firms conduct and document a cybersecurity risk assessment, before encountering an examination. Otherwise, firms will be in an untenable position trying to explain the rationale of its cybersecurity program or – worse yet – why the firm has no cybersecurity program.

Violations can escalate from informal resolution to formal enforcement actions

Ultimately, violations of FINRA and SEC rules – such as FINRA Rule 3110 (supervision) and Rule 30 of SEC Regulation S-P (safeguarding customer records and information) – can result in disciplinary action. Although a significant number of disciplinary actions are resolved informally – through cautionary action letters – serious and egregious violations often escalate to formal enforcement actions resulting in hefty fines and sanctions.

Recently, FINRA imposed a $225,000 fine against a firm for failing to establish and maintain a supervisory system reasonably designed to safeguard confidential customer information, in violation of FINRA and SEC rules. A firm employee lost an unencrypted laptop containing highly sensitive, personal and confidential information of over 352,000 customers. In sanctioning the firm, FINRA reasoned that the firm’s written supervisory procedures “did not address the technology in use, specifically laptops” and the firm “failed to take appropriate technological precautions to protect customer and highly sensitive information.”

Because cybercrime is a central threat to investor protection, and nearly two years have passed since FINRA’s Report on Cybersecurity Practices, FINRA will undoubtedly raise intensity on cybersecurity compliance, likely resulting in increased disciplinary actions and sanctions for violations of FINRA and SEC rules.

The unanswered question is: Are firms ready?