Following up on FINRA’s 2014 Regulatory and Examination Priorities Letter, FINRA recently announced its intent to initiate targeted exams focused on cybersecurity. The targeted examination letters are expected to request information regarding:
- approaches to information technology risk assessment;
- business continuity plans in case of a cyber-attack;
- organizational structures and reporting lines;
- processes for sharing and obtaining information about cybersecurity threats;
- understanding of concerns and threats faced by the industry;
- assessment of the impact of cyber-attacks on the firm over the past twelve months;
- approaches to handling distributed denial of service attacks;
- training programs;
- insurance coverage for cybersecurity-related events; and
- contractual arrangements with third-party service providers.
In conducting this sweep, FINRA expects to (1) better understand the threats that firms face; (2) assess vulnerabilities in firms’ IT technology; (3) understand and firms’ approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and (4) as appropriate, to share observations and findings with firms. This follows certain targeted on-site examinations of firms over the past several years, in which the focus has been on those firms’ use of technology and risk mitigation controls in place to prevent cybersecurity breaches.
Although FINRA has not made any formal recommendations, if its prior enforcement actions are any indication, we anticipate that data encryption, password protection, and anti-virus and security software will be deemed fundamental tools that firms will be expected to utilize in the face of the ever greater cybersecurity threat. Additionally, we expect that FINRA will be looking for evidence of periodic audits to assess the effectiveness of cybersecurity efforts. Finally, to the extent that any cybersecurity efforts are outsourced, we believe that FINRA will assess a firm’s supervision of that process under Regulatory Notice 05-48.
Ultimately, FINRA is attempting to assess the integrity of firms’ infrastructure and the safety and security of sensitive customer data.