FINRA (Financial Industry Regulatory Authority) to Examine Broker-Dealers for Cybersecurity Threats
FINRA to Examine Broker-Dealers for Cybersecurity Threats
In its 2014 Regulatory and Examination Priorities Letter, FINRA noted that cybersecurity remains a priority and that it will focus on "the integrity of firms’ policies, procedures and controls to protect sensitive customer data." In line with this priority, FINRA announced a Targeted Examination Letter detailing its intention to conduct an assessment of firms’ approaches to managing cybersecurity threats, which FINRA noted may cause potential harm to investors, firms, and the financial system as a whole. FINRA intends to survey and assess about 20 firms with a variety of business models. FINRA’s assessment will focus on areas relating to cybersecurity, including:
business continuity plans in the event of a cyber-attack;
understanding concerns and threats faced by the industry;
assessing the impact of cyber-attacks on the firm over the past year;
insurance coverage for cybersecurity-related events; and
arrangements with third-party service providers.
FINRA hopes that its assessment will help it achieve four broad goals: (1) to better understand the threats that firms face; (2) to increase its understanding of firms’ risk appetites, exposure, and major areas of vulnerabilities in their IT systems; (3) to better understand how firms could and do manage these threats; and (4) to share observations and findings as appropriate.
While one of FINRA’s goals appears to be information sharing, broker-dealers should understand that FINRA could take action based on examination findings of weaknesses in cybersecurity controls. At a minimum, broker-dealers should have a process in place for checking cyberthreats and protecting data should an attack occur.