January 27, 2022

Volume XII, Number 27

Advertisement
Advertisement

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

The Securities and Exchange Commission and Financial Industry Regulatory Authority Release Examination Priorities for 2017

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year.

OCIE and FINRA have repeatedly recognized cybersecurity as an examination priority.  OCIE first identified cybersecurity as an examination issue in 2014 and FINRA first mentioned data security and online defense as an issue in 2008.  Today, U.S. financial institutions regularly face increasingly sophisticated cyberattacks that seek to access or acquire customer data illegally, disrupt operations and increase reputational risk.  In light of these threats, OCIE and FINRA have further developed and refined their cybersecurity examination priorities to better identify and mitigate cyber risks for market participants.  Details follow below.

SEC’s 2017 Examination Priorities

The SEC, through OCIE, publishes annual examination priorities to identify issues that present a risk to investors or capital markets.  For 2017, OCIE again listed cybersecurity as a market-wide risk and examination priority.  OCIE promises to “continue [its] initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.”

FINRA’s 2017 Regulatory and Examination Priorities

In its latest Examination Priorities guidance, FINRA identified cybersecurity threats as “one of the most significant risks” that firms face in 2017.  Recognizing that cyber threats are dynamic and evolving, and that “there is no one-size-fits-all approach to cybersecurity,” FINRA stated that it would “tailor [its] assessment of cybersecurity programs to each firm” based on certain factors, such as its business model, size and risk profile.

FINRA also said it will focus on firms’ data loss prevention and vendor relationship management policies.  In assessing data loss prevention, FINRA plans to examine firms’ data storage policies, data flow, and the tools used to monitor and protect data.  With respect to examining management of vendor relationships, FINRA would review policies, consider whether vendors have access to sensitive firm data, and assess any controls put in place to protect firm data from insider threats.  FINRA also underscored two common vulnerabilities in cybersecurity controls that it has observed:  (i) password protections, encryption, network and system maintenance and physical security at branch offices tend to be weaker than at a firm’s headquarters; and (ii) some firms may not be complying with all or parts of Securities Exchange Act Rule 17a-4(f), which requires firms to preserve records securely, in a non-rewriteable, non-erasable format (the secure format is commonly called a “write once read many” or “WORM” format).

© 2022 Covington & Burling LLPNational Law Review, Volume VII, Number 20
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Michael Nonaka, Covington Burling, data and cybersecurity lawyer
Partner

Michael Nonaka is co-chair of the financial institutions group and advises banks, financial services providers, and non-bank companies on a broad range of compliance, enforcement, transactional, and legislative matters. He has worked extensively with federal and state banking agencies and with other federal agencies authorized to regulate financial services. Mr. Nonaka also plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative...

202 662 5727
Micaela R.H. McMurrough, Covington, Data privacy Lawyer
Special Counsel

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters. Ms. McMurrough also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Ms. McMurrough has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of...

212-841-1242
Advertisement
Advertisement
Advertisement