FINRA Letter Announces Cybersecurity as 2016 Exam Priority

The Financial Industry Regulatory Authority (“FINRA”) released its annual Regulatory and Examination Priorities Letter on January 5, listing cybersecurity as a 2016 examination priority.¹ This letter broadly identifies new and recurring areas of concern important to FINRA’s regulatory programs and investor risk protection, including cybersecurity risk management and preparedness. Though cybersecurity has received strict regulatory scrutiny in 2015,² the inclusion as a 2016 priority indicates that it will continue to be a top area of concern in the year ahead. 

Among its objectives to generally focus on supervision, risk management, and controls within firms, FINRA specifically notes its continued emphasis on ensuring cybersecurity defenses in light of the persistence and evolving nature of cyber threats and the continued lack of preparedness among firms. Firms are particularly prone to risks from: 

• unapproved internal and external access to client accounts; 
• unsecure online trading systems and asset transfer systems; and 
• improper management of firms’ vendor relationships. 

As a result, FINRA intends to “review firms’ approaches to cybersecurity risk management,” including the examination of firm processes and controls related to: 

• governance; 
• risk assessment;
• technical controls; 
• incident response; 
• vendor management; 
• confidentiality of sensitive customer information;³ 
• data loss prevention; 
• trading system accessibility; and 
• staff training. 

Going forward, firms should note this extended regulatory focus and continue to update and enhance their comprehensive information security programs which should already be in place.⁴ 

Footnotes 

_{1) 2016 Regulatory and Examination Priorities Letter, FINRA, (Jan. 5, 2016), http://www.finra.org/industry/2016-regulatory-and-examination-priorities-letter.
2) 2015 Regulatory and Examination Priorities Letter, (Jan. 6, 2015), http://www.finra.org/industry/2015-exam-priorities-letter; National Exam Program Examination Priorities for 2015, (Jan. 13, 2015), https://www.sec.gov/news/pressrelease/2015-3.html.
3) As part of customer protection reviews, FINRA will consider firms’ compliance with The Securities and Exchange Commission Regulation S-P, which regulates financial institutions’ treatment of nonpublic personal consumer information, and Securities Exchange Act Rule 17a-4(f), which requires data stored electronically to be kept in a format that cannot be written over or erased.
4) To address these regulatory focuses and strengthen their cybersecurity programs, firms should consider implementing the highly suggested practices outlined in FINRA’s Report on Cybersecurity Practices. 2015 Report on Cybersecurity Practices, FINRA (Feb. 3, 2015), https://www.finra.org/industry/2015-cybersecurity-report. See also SEC Cybersecurity Examinations and Enforcement: What Broker-Dealers and Investment Advisers Need to Know, Dechert, (Sept. 28, 2015), https://info.dechert.com/10/5583/september-2015/sec-cybersecurity-examinations-and-enforcement--what-broker-dealers-and-investment-advisers-need-to-know.asp.}