After announcing that cybersecurity is one of its 2014 examination priorities,FINRA wasted no time before announcing a sweep examination to assess firms’ approaches to managing cybersecurity threats.
FINRA said that its concern results from “the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.” FINRA said that the sweep examination will look into cybersecurity areas including:
- approaches to information technology risk assessment;
- business continuity plans in case of a cyber attack;
- organizational structures and reporting lines;
- processes for sharing and obtaining information about cybersecurity threats;
- training programs; and
- contractual arrangements with third- party service providers.
FINRA isn’t the only regulator focusing on cyber security. In January, a high- level SEC official told an industry group that the NEP will review asset managers’ policies and procedures for preventing cyber attacks. In particular, the SEC is looking at the risks created by asset managers who give vendors access to their information technology systems.
As reported by Reuters, Jane Jarcho, national associate director of the SEC’s Investment Adviser/Investment Company examination program, stated, “We will be looking to see what policies are in place to prevent, detect and respond to cyber-attacks.”
Ms. Jarcho’s statement about asset managers continues a theme recently articulated in the NEP’s 2014 examination priorities. Among other things, NEP examiners will review firms’ vendor due diligence procedures and ensure that asset managers report cyber intrusions to their regulators. It is safe to say that the SEC’s examination program will also look at how broker-dealers maintain system security.
FINRA has already shown a willingness to pursue disciplinary action in this area – see our recent client alert – and firms should understand that FINRA or the SEC could take action based upon examination findings of deficient cybersecurity procedures.