Earlier this year, the Financial Industry Regulatory Authority (“FINRA”) published its 2023 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”). The Report emphasized that FINRA believes “cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.”
Towards that end, the Report discusses the importance of, amongst others, risk assessments, account monitoring, third-party vendor and supply chain risks, written procedures, authorized system access, as well as reporting suspicious activity. The Report provides valuable insights and information to firms as it incorporates FINRA’s knowledge gleaned from various cybersecurity attacks as well as FINRA’s reports, regulatory guidance, and enforcement actions. Some of the “Effective Practices” provided in the Report are listed below and the full report can be found at: https://www.finra.org/rules-guidance/guidance/reports/2023-finras-examination-and-risk-monitoring-program
As further evidence of FINRA’s focus on cybersecurity, the Report notes that FINRA established a Cyber and Analytics Unit in August 2022 to enhance their ability to deal with the increasing threats and variety of attacks such as customer account takeovers, network intrusions, ransomware attacks and cyber-enabled fraud. FINRA also warns that such Cybersecurity incidents can expose firms to financial losses and operational failures as well as impact their ability to comply with its cyber-related regulatory obligations. For instance, the Report cites such regulatory obligations as Rule 30 of SEC Regulation S-P, Regulation S-ID and FINRA Rule 4370 which involves denials of service and other interruptions to firms’ operations.
As indicated, FINRA provides some valuable insights from its lessons learned. For example, part of the Report is entitled Observations and Effective Practices, and the Effective Practices section, in particular, serves as a good checklist for firms to help mitigate cybersecurity incidents and ensure compliance with its regulatory obligations. Some of the Effective Practices provided in the Report include secure configurations, identity verification, vendor management, and risk assessments. Below are some of those practices as listed in the Report.
- Secure Configurations: Confirming that desktops, laptops and servers are using current software systems with secure settings that expose only required services to reduce system vulnerabilities; and implementing timely application of systems security patches.
- Risk Assessments: Regularly assessing the firm’s cybersecurity risk profile based on changes in the firm’s size and business model and newly identified threats; and regularly updating the firm’s cybersecurity program based on those assessments.
- Vendor Management: Maintaining a list of all third-party-provided services, systems and software components that can be leveraged (in the event of a cybersecurity incident at one of the firm’s third-party vendors).
- Outbound Email Monitoring: Implementing systems that scan outbound email text and attachments to identify and potentially block sensitive customer information or confidential firm data.
- Identity Verification: For firms that allow new accounts to be opened online, developing a comprehensive process for validating the identity of new clients; and using third parties that can verify identities and provide a score related to the level of risk associated with a new account (to help firms determine if additional verification is required).
- Log Management: Capturing log data from a broad set of sources and retaining it for a sufficient amount of time (e.g., a minimum of twenty-four months).
- Data Backups: Completing regular backups of critical data and systems and ensuring the backup copies are encrypted and stored off-network; and regularly testing the recovery of data from backups to ensure information can be restored from backup tapes.
In sum, FINRA’s report is full of useful and insightful information for a firm to mitigate its risks and ensure regulatory compliance.
Written by John J. Cooney, Esq
With over a combined 25 years of business, legal, and technical experience, The Law Office of John J. Cooney, P.C. offers comprehensive legal strategies and solutions for businesses working seamlessly with management and any existing counsel in an efficient manner. John’s firm concentrates on General Counsel services, Pre-Litigation Investigation, Defense, and Compliance services, as well as the Cybersecurity arena.