It’s a new year, and time for the Financial Industry Regulatory Authority (FINRA)’s annual Regulatory and Examination Priorities Letter (the “2017 Letter”) We remind regulated entities of this list of examination priorities every year, because cybersecurity appears high on the list every year. 2017 is no exception.
The 2017 Letter
FINRA has been increasing its on-site examinations and enhanced risk-based surveillance “to apply a nationally consistent approach to identify and focus on material conduct at firms…” Among the operational risks listed in the 2017 Letter, Cybersecurity is listed first, and according to FINRA, “remain[s] one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.”
Firms should be prepared for FINRA reviews of methods for preventing data loss, including understanding of data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors. FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, FINRA has been known to review how firms manage their vendor relationships, including the controls to manage those relationships, and this line of examination is expected to continue. Importantly, the 2017 Letter recognizes the nature of the “insider threat” and expresses FINRA’s intent to inquire into what controls firms have in place to acknowledge and manage that “insider threat”. According to the 2007 Letter: “The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.”
The WORM Actions
As if to emphasize the seriousness of the inquiries, FINRA issued a series of Letters of Consent at the end of December, levying fines totaling $14 million against 12 firms, and discussed the record-keeping requirements at the core of the December regulatory actions in its 2017 Letter.
Specifically, Securities & Exchange Commission and FINRA rules require member firms to maintain certain electronic records in a non-erasable, non-rewritable format, known by the acronym WORM, for “Write Once, Read Many”. This format prevents the alteration or destruction of records stored electronically.
in its press release, FINRA explained that WORM format requirements were essential to FINRA’s investigative duties. FINRA noted how the volume of sensitive financial data stored electronically by members had risen exponentially in the past decade. This increase in the amount of sensitive information stored by FINRA members coincides with increasingly aggressive attempts to hack into electronic data repositories. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.
FINRA found that the each of the 12 fined firms failed to follow required document retention regulations in various ways outlined in the Letters of Consent.
Brad Bennett, FINRA’s current chief of enforcement, will be stepping down shortly. #MLWashingtonCyberWatch will be keeping an eye on what, if any, changes may come with the new administration in 2017. Only time will tell whether FINRA will continue its aggressive enforcement actions or if we will see a softening of FINRA’s actions. Regardless of the regulatory inquiries, firms should continue to take actions to improve cybersecurity resilience and investor protection.