The SEC and FINRA are maintaining a steady drumbeat to motivate regulated firms to adequately protect themselves from cyberattack.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) began 2014 by prominently emphasizing information security technology in its published examination priorities for the year. These included a specific reference to the cybersecurity issues around broker-dealer trading activities. Then, in March, the Commission held a Cybersecurity Roundtable at which SEC Chairman Mary Jo White and Commissioner Luis Aguilar both emphasized this topic’s importance for regulated firms.
In April, OCIE again weighed in, issuing a risk alert that announced an initiative to conduct targeted cybersecurity exams of more than 50 broker-dealers and investment advisers. OCIE included a sample information request as an appendix to the risk alert, “to empower compliance professionals … with questions and tools they can use to assess their firms’ level of preparedness” regardless of whether they are subject to an exam.
FINRA also included cybersecurity prominently among its published regulatory and examination priorities for 2014, announcing that it was sending targeted examination letters to broker-dealer firms to assess their approaches to cybersecurity threat management. The concerns itemized in this announcement are similar to those reflected in more detail in OCIE’s risk alert and its accompanying appendix. FINRA panelists discussed the findings of FINRA’s targeted examination sweep at its South Regional Compliance Seminar in November.
Under the circumstances, firms that have not already done so should strongly consider assembling a team across business areas to address cybersecurity, in consultation with compliance and legal personnel. The OCIE Risk Alert Appendix can serve as a very useful guide and checklist for that effort.