FINRA Releases Information Notice on Cybersecurity Authentication Methods and Releases Regulatory Notice on Revised NAC Sanction Guidelines
Notice on Cybersecurity Authentication Methods
On October 15, the Financial Industry Regulatory Authority (FINRA) released an information notice (Notice) providing additional background on authentication techniques for firms to consider as they implement cybersecurity authentication programs.
The Notice provides an overview of authentication factors that may be based on various categories of information, including PINs or passwords, “hard” physical tokens (such as key FOBs) and “soft” tokens (such as mobile phone app) that generate temporary or time-based passwords.
The Notice clarifies that the use of single-factor authentication may subject broker-dealers and customers to heightened risk of attacks on password credentials, and represent the vast majority of the hacking tactics associated with reported breaches. FINRA specifically emphasized that the use of multi-factor authentication, which uses two or more different types of factors or secrets, significantly reduces the likelihood that the exposure of a single credential will result in account compromise.
The Notice is available here.
Regulatory Notice on Revised NAC Sanction Guidelines
On October 20, the National Adjudicatory Council (NAC) of the Financial Industry Regulatory Authority (FINRA) revised the Principal Considerations in Determining Sanctions section of the FINRA Sanction Guidelines to expressly contemplate a customer’s age or physical or mental impairment. In connection therewith, FINRA released Regulatory Notice 20-37.
The prior version of the FINRA’s Sanction Guidelines contained 19 Principal Considerations in Determining Sanctions that adjudicators were instructed to consider. As amended, the Sanction Guidelines now contains 20 Principal Considerations.
FINRA specified that the amendments reflect NAC’s overall concerns regarding the protection of customers, especially senior investors or mentally impaired customers. In furtherance of those concerns, FINRA amended Principal Consideration No. 19 to explicitly include customers’ mental or physical impairment. Additionally, FINRA introduced a new Principal Consideration No. 20 to consider whether the customer is age 65 and older.
The amendments to the Sanction Guidelines are effective immediately.