This issue of Winston’s Financial Service Update marks the debut of a new monthly feature that we call FINRA – Regulatory Matters at a Glance – What Compliance Officers Need to Know. This feature provides a summary of the regulatory notices, rule filings, guidance and the like published by the Financial Industry Regulatory Authority (“FINRA”) during the previous month, all in an easily accessible chart form that includes links to relevant documents and rules. We look forward to any comments you may have regarding this feature, including any suggestions that would make it more useful to you. Please send comments and suggestions to Glen Barrentine, the creator of this feature.
We would also like to highlight the February 3rd release by each of the SEC and FINRA of investor bulletins and reports on cybersecurity – a matter that seems to take on added urgency with each passing week. SEC Press Release. FINRA Press Release. Both the SEC Investor Bulletin, written by the Office of Investor Education and Advocacy, and FINRA’s investor alert, Cybersecurity and Your Brokerage Firm, encourage investors to understand their firm's cybersecurity policies and includes advice to help investors safeguard their accounts and personal financial information.
The SEC’s Risk Alert summarizes the Office of Compliance Inspections and Examinations’ recent examination sweep of 57 brokerdealers and 49 investment advisers. The examinations focused on how firms identify cybersecurity risks; establish cybersecurity policies, procedures, and oversight processes; protect their networks and information; identify and address risks associated with remote access to client information, funds transfer requests, and thirdparty vendors; and detect unauthorized activity.
FINRA’s Report on Cybersecurity Practices provides “an approach to cybersecurity grounded in risk management” that is particularly substantive and that would be useful not only to FINRA’s member firms but to any financial service company, especially one that interacts with clients or customers. Topics covered by FINRA’s report include cybersecurity risk assessment, technical controls, incident response planning, vendor
management, staff training, cyber intelligence and information sharing, and cyber insurance.
We believe that the most significant item in FINRA’s report, however, is the report’s focus on the importance of a strong governance framework. The term “governance framework” is used by FINRA to refer broadly “to the establishment of policies, procedures and process to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements in a fashion that is understood within the organization and that informs its management of cybersecurity risk.”
Following the governance framework approach described in FINRA’s report will not only make for a better cybersecurity program but, importantly, will also lead to cybersecurity program documentation that is both consistent with the expectations of FINRA and the SEC, and allow for easier and more effective communications with the regulators around this difficult topic. This is equally true of routine regulatory responses – FINRA member firms should expect cybersecurity preparedness reviews as part of every routine regulatory examination – as well as responses to regulatory inquiries that are triggered by incidents or other demonstrated weaknesses, in which case, documentation of a strong governance framework is likely to lessen the severity of any action taken by FINRA or the SEC and hopefully ward off failure to supervise charges and charges against individuals.