Following the release of its 2014 Regulatory and Examination Priorities Letter, FINRA announced that it would be conducting targeted exams or sweeps of member organizations to assess their vulnerability, risk management protocols, and oversight strategies concerning cybersecurity preparedness. In doing so, FINRA has recognized the critical role information technology plays in the securities industry and the potential harm to investors, ﬁrms, and the ﬁnancial system when a cyberattack occurs.
FINRA’s cyber assessment is expected to cover:
- Approaches to information technology risk assessment;
- Business continuity plans in case of a cyber-attack;
- Organizational structures and reporting lines;
- Processes for sharing and obtaining information about cybersecurity threats;
- Understanding of concerns and threats faced by the industry;
- Assessment of the impact of cyber-attacks on the ﬁrm over the past twelve
- Approaches to handling distributed denial of service attacks;
- Training programs;
- Insurance coverage for cybersecurity-related events; and
- Contractual arrangements with third-party service providers.
Given the recent spate of high-proﬁle cyber incidents, we believe that FINRA’s examinations will focus on members’ use of security software, data encryption, and password protection; the extent to which they perform ongoing cyber audits to ensure compliance; and their processes for assessing the current threat environment.