FINRA recently issued a Report on Cybersecurity Practices (“Report”), growing out of its targeted examination of firms last year. To issue the Report, FINRA gave careful consideration to the needs of many broker-dealers for information and the tools to combat cyber intrusions. The Report is comprehensive, and it doesn’t shy away from delving into technical detail. Our review of it leads us to conclude that it is a useful resource for broker-dealers looking to assess and improve their procedures for preventing a cybersecurity attack, and dealing with one if and when it comes.
At the same time, FINRA also issued guidance to enable investors to understand the state of their firms’ data protection by issuing a new Investor Alert entitled “Cybersecurity and Your Brokerage Firm.” The Alert recommends that investors ask their firms about: the safeguards they have in place to protect personal information and assets; the procedures the firm uses to monitor investors’ personal information; the firms’ approaches to handling cyber events; whether the firms will reimburse investors if their assets are compromised due to a cyber attack; and what measures the firms recommend investors take to personally protect their information.
FINRA’s Report (together with the SEC’s recent cybersecurity report) should provide the motivation and some of the tools needed by those broker-dealers who have put off focusing on this area to roll up their sleeves, and additional motivation will come from the firms’ own customers.
This Client Alert cannot cannot hope to summarize the 45-page Report, and we encourage those firms embarking on a cybersecurity project to read the entire Report. Here we will point out some of the most relevant observations and recommendations in the Report, with a view to encouraging broker-dealers to review their procedures and adopt the recommendations as appropriate.
As FINRA’s Report indicates, cybersecurity has been a regular theme in its annual Regulatory and Examination Priorities Letter since 2007, and over the years FINRA has conducted surveys and on-site reviews of firms to increase its awareness of how firms control cyber risks. FINRA points to a variety of factors driving firms’ exposure to cybersecurity threats, including advances in technology, changes in firms’ business models, and changes in how firms use technology. A prime example of such risks is the increased use of web-based access or mobile devices for brokerage activities.
FINRA defines “cybersecurity” as “the protection of investor and firm information from compromise through the use . . . of electronic digital media.” “Compromise” is the loss of data confidentiality, integrity or availability. FINRA acknowledges that there is no “one size fits all” approach, because firms come in a variety of sizes and business models, and acceptable approaches to compliance and supervision may vary widely among firms. But at the end of the day, “firms must have appropriate risk management measures in place to address the cybersecurity-related threats they face.”
FINRA’s Report is perhaps at its most useful when it reviews practices that it observed at firms in each area discussed; these discussions will permit broker-dealers to benchmark their practices against the industry in general, and increase the urgency of improving their systems when they find that they fall short.
A more complete analysis of the Report can be found in our client alert, available here.