On February 3, the Financial Industry Regulatory Authority (“FINRA”) issued two publications concerning cybersecurity risks at financial firms. The Report on Cybersecurity Practices presents the results of FINRA’s 2014 targeted examination of cybersecurity issues at financial institutions and identifies risk management principles and practices to help firms reduce their exposure to cybersecurity threats. In conjunction with the report, FINRA also releasedCybersecurity and Your Brokerage Firm, an investor alert designed to “encourage investors to understand a firm’s cybersecurity policies and take personal precautions to safeguard their brokerage accounts and personal financial information.” FINRA issued these publications on the same day as the U.S. Securities and Exchange Commission released its Cybersecurity Examination Sweep Summary, which presents observations from the SEC’s Office of Compliance Inspections and Examinations’ cybersecurity examinations of various financial institutions. For additional coverage of the SEC’s report, please see King & Spalding’s Client Alert, SEC Releases Results of Financial Industry Examination Sweep Regarding Cybersecurity.
The objective of FINRA’s 2014 examination was four-fold: “to better understand the types of threats that firms face; to increase [FINRA’s] understanding of firms’ risk appetite, exposure and major areas of vulnerabilities in their information technology systems; to better understand firms’ approaches to managing these threats; and to share observations and findings with firms.” With respect to the cybersecurity threat landscape, surveyed firms identified the three top threats that they face as “hackers penetrating firm systems; insiders compromising firm or client data; and operational risks.” FINRA noted that firms’ ranking of their top threats correlated to their business models; for example, companies using trading algorithms were more likely to highly rank insider risks.
The Report on Cybersecurity Practices further describes general principles and effective practices for identifying and managing cybersecurity risks. These include “defining a governance framework to support decision making based on risk appetite; ensuring active senior management, and as appropriate to the firm, board-level engagement with cybersecurity issues; identifying frameworks and standards to address cybersecurity; using metrics and thresholds to inform governance processes; dedicating resources to achieve the desired risk posture; and performing cybersecurity risk assessments.” Regarding assessing cybersecurity risk, the report recommends instituting governance frameworks to “identify and maintain an inventory of assets authorized to access the firm’s network and, as a subset thereof, critical assets that should be accorded prioritized protection” and further to “conduct comprehensive risk assessments that include: an assessment of external and internal threats and asset vulnerabilities; and prioritized and time-bound recommendations to remediate identified risks.” With respect to critical assets, the report notes that broker-dealers should consider their “obligations under Regulation S-P to protect customers’ personally identifiable information” and, accordingly, “databases containing personal client data and business applications containing this data would normally be considered critical assets.”
FINRA’s Cybersecurity and Your Brokerage Firm investor alert provides targeted guidance to investors concerning cybersecurity risks. The alert advises investors to familiarize themselves with their firm’s cybersecurity practices and policies by asking questions related to customer protections (e.g., “What safeguards do you have in place to protect my personal information and assets?” and “Do you monitor my personal information to determine whether it has been stolen or misused?”). The alert further states that investors should take practical steps to protect their own personal financial information and brokerage accounts, including installing updated firewall and anti-virus programs on personal computers and remembering to formally log out of online account sessions after each login.
The publication of these FINRA materials along with the SEC’s report demonstrates that cybersecurity issues will continue to be a focal point for regulators in the aftermath of the White House’s recent data breach proposal.