Cyber-Security: FINRA’s Targeted Examination Letter

The IPR Blog: FINRA's Targeted Examination LetterAs we posted earlier in outlining  FINRA’s  2014 Regulatory and Examination Priorities Letter, one focus included FINRA’s concern for the integrity of member firms’ policies, procedures and controls that are supposed to protect sensitive customer data.  In the letter, FINRA states that it will examine and conduct targeted investigations and followed up by issuing  a separate notice concerning  Targeted Examination Letters that some firms may get seeking information about how the firm addresses the issue of cyber-security threats, vulnerabilities, and management of related risks.  The cyber-security topics FINRA will examine or assess include a firm’s

  • approaches to information technology risk assessment;
  • business continuity plans in case of a cyber-attack;
  • organizational structures and reporting lines;
  • processes for sharing and obtaining information about cybersecurity threats;
  • understanding of concerns and threats faced by the industry;
  • assessment of the impact of cyber-attacks on the firm over the past twelve months;
  • approaches to handling distributed denial of service attacks;
  • training programs;
  • insurance coverage for cybersecurity-related events; and
  • contractual arrangements with third-party service providers.

Both broker-dealers and investment advisers should take this issue seriously. The concern should not solely be whether FINRA or the SEC thinks that your firm’s cyber-security program makes the grade. Nothing could be more damaging to a firm than to lose clients’ trust in the integrityof a firm’s ability to protect personal data.  Some financial service firms senior management (and I hear or observe it frequently) often mistakenly believe they are in the business of managing money (i.e. offering or selling or advising about it).  They’re not.  What they are in is the business of  managing risks related to money.  From regulatory sanctions and fines to civil lawsuits, failure to realize and assess that risk in a time of ever-proliferating and sophisticated cyber crime will,  undoubtedly, leave less to manage.  So, whether or not FINRA ask, how good are your policies, procedures, IT systems and plans for cyber-security?

Author: Dexter Johnson

The author is a an attorney who for the past 14 years has concentrated his practice in representing, successfully, investment advisers, broker-dealers, corporations and individuals who are subject to SEC, FINRA, State or other regulations and who may be the subject of regulatory examination, review or investigation. He formerly worked at the SEC. His regulatory and litigation experience has encompassed virtually every type of securities issue in the industry. He has also negotiated favorable outcomes in many of these matters for his clients.