The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year.

OCIE and FINRA have repeatedly recognized cybersecurity as an examination priority.  OCIE first identified cybersecurity as an examination issue in 2014 and FINRA first mentioned data security and online defense as an issue in 2008.  Today, U.S. financial institutions regularly face increasingly sophisticated cyberattacks that seek to access or acquire customer data illegally, disrupt operations and increase reputational risk.  In light of these threats, OCIE and FINRA have further developed and refined their cybersecurity examination priorities to better identify and mitigate cyber risks for market participants.  Details follow below.

SEC’s 2017 Examination Priorities

The SEC, through OCIE, publishes annual examination priorities to identify issues that present a risk to investors or capital markets.  For 2017, OCIE again listed cybersecurity as a market-wide risk and examination priority.  OCIE promises to “continue [its] initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.”

FINRA’s 2017 Regulatory and Examination Priorities

In its latest Examination Priorities guidance, FINRA identified cybersecurity threats as “one of the most significant risks” that firms face in 2017.  Recognizing that cyber threats are dynamic and evolving, and that “there is no one-size-fits-all approach to cybersecurity,” FINRA stated that it would “tailor [its] assessment of cybersecurity programs to each firm” based on certain factors, such as its business model, size and risk profile.

FINRA also said it will focus on firms’ data loss prevention and vendor relationship management policies.  In assessing data loss prevention, FINRA plans to examine firms’ data storage policies, data flow, and the tools used to monitor and protect data.  With respect to examining management of vendor relationships, FINRA would review policies, consider whether vendors have access to sensitive firm data, and assess any controls put in place to protect firm data from insider threats.  FINRA also underscored two common vulnerabilities in cybersecurity controls that it has observed:  (i) password protections, encryption, network and system maintenance and physical security at branch offices tend to be weaker than at a firm’s headquarters; and (ii) some firms may not be complying with all or parts of Securities Exchange Act Rule 17a-4(f), which requires firms to preserve records securely, in a non-rewriteable, non-erasable format (the secure format is commonly called a “write once read many” or “WORM” format).