The Securities and Exchange Commission continues to be active in the area of cybersecurity. A recent Letter of Consent issued by the agency’s Financial Industry Regulatory Authority (FINRA) contained some startling new requirements that, if enforced by FINRA, could place a significant burden on financial firms in regard to their privacy and cybersecurity policies.
FINRA and cybersecurity policies
Since the enactment of SEC Regulation S-P in 2000, the SEC has required every broker, dealer, and investment company to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” FINRA has taken an increasingly aggressive role in protecting the privacy and security of banking customer’s personal information. FINRA has passed regulations requiring member firms to maintain systems that ensure customer confidentiality and protect against anticipated threats and unauthorized access to customer information. Failure to follow such regulations can result in regulatory investigations and fines.
However, the latest example of this trend seems to require member firms to micro-manage their registered representatives to an unprecedented level. No longer is it sufficient for firms to outline the required security standards in its policies, it must inform representatives of what light bulb to use and how to turn the light on.
FINRA’s new “Financial Industry Regulatory Authority Letter of Acceptance, Waiver and Consent No. 2013035036601,” released November 15, 2016, involves a Lincoln Financial Group (LFG) representative and its loss of around 5,400 customer records from a cloud-based computing server. In 2011, an LFG registered representative began storing customer records on a cloud-based computer server hosted by a third-party service provider. According to the Letter of Consent, when LFG entered into agreements with the provider of the cloud service, it failed to ensure that the service provider installed adequate antivirus protections, failed to require the provider to properly encrypt customer data stored on the cloud to prevent unauthorized access and use, and failed to maintain proper oversight of the provider through its audit and compliance process.
However, the most interesting – and problematic – portion of the Letter of Consent was FINRA’s discussion of why LFG’s written security policy was insufficient. The firm’s written security policy required that adequate firewalls be used to protect customer information. FINRA found this insufficient:
The Data Security Policy did not, however, provide guidance to representatives on what type of firewall was sufficient or how to install such a firewall. Instead, the firm’s Data Security Policy left it to the Firm’s representatives to interpret, understand, and adequately apply the Data Security Policy’s general recommendations when many of the Firm’s representatives lacked the technical expertise to do so.
Apparently, firms must assume that anyone reading these policies lacks the knowledge to understand such policies and does not have the initiative to ask for clarification or guidance when necessary. Extrapolating further, firms must explain in their written security policies the technical, administrative, and physical safeguards representatives are required to implement, include detailed information regarding the appropriate tools, systems, or devices they are required to use and how to install such devices. The sheer size of such a policy could be overwhelming. And while organizations hope that their employees, contractors, representatives, and agents read each and every policy from cover to cover, most recognize that is an unrealistic expectation.
The most startling takeaway from this Letter of Consent is the seeming requirement for institutions subject to FINRA authority to have to provide detailed specifics on technological security practices, including outlining in data security policies the precise types of technology to be used and how that technology is to be installed. Considering the speed with which technological security measures change, this guidance places a heavy burden on those subject to FINRA authority. Such entities must ensure their data security policies include specific references to the most up-to-date security measures to be employed. These policies should include instructions for those reading the policy on how such measures are to be deployed, instructions that are understandable to those with little or no technical acumen.
It is unclear whether FINRA truly meant to impose such a heavy burden on entities subject to its authority or if the statements in this matter were made because of particular facts relevant to this incident involving a party who had violated standards multiple times. That remains to be seen. But those subject to FINRA authority would be wise to review their data security policies in light of this decision, or at a minimum discuss the matter further with their cybersecurity counsel.