As we posted earlier in outlining FINRA’s 2014 Regulatory and Examination Priorities Letter, one focus included FINRA’s concern for the integrity of member firms’ policies, procedures and controls that are supposed to protect sensitive customer data. In the letter, FINRA states that it will examine and conduct targeted investigations and followed up by issuing a separate notice concerning Targeted Examination Letters that some firms may get seeking information about how the firm addresses the issue of cyber-security threats, vulnerabilities, and management of related risks. The cyber-security topics FINRA will examine or assess include a firm’s
- approaches to information technology risk assessment;
- business continuity plans in case of a cyber-attack;
- organizational structures and reporting lines;
- processes for sharing and obtaining information about cybersecurity threats;
- understanding of concerns and threats faced by the industry;
- assessment of the impact of cyber-attacks on the firm over the past twelve months;
- approaches to handling distributed denial of service attacks;
- training programs;
- insurance coverage for cybersecurity-related events; and
- contractual arrangements with third-party service providers.
Both broker-dealers and investment advisers should take this issue seriously. The concern should not solely be whether FINRA or the SEC thinks that your firm’s cyber-security program makes the grade. Nothing could be more damaging to a firm than to lose clients’ trust in the integrityof a firm’s ability to protect personal data. Some financial service firms senior management (and I hear or observe it frequently) often mistakenly believe they are in the business of managing money (i.e. offering or selling or advising about it). They’re not. What they are in is the business of managing risks related to money. From regulatory sanctions and fines to civil lawsuits, failure to realize and assess that risk in a time of ever-proliferating and sophisticated cyber crime will, undoubtedly, leave less to manage. So, whether or not FINRA ask, how good are your policies, procedures, IT systems and plans for cyber-security?