X

FINRA Provides Further Detail on Technology Management and Cybersecurity

In part two of a three-part podcast, FINRA focused on the technology and cybersecurity portions in its 2016 Regulatory and Examination Priorities Letter.

Technology Management. The FINRA podcast highlighted: (i) errors when a firm changes their systems or applications that can cause problems ranging from adverse customer effects to market disrupting orders, (ii) deficiencies in written procedures, (iii) insufficient segregation of duties for people involved in developing and deploying technology, and (iv) lack of user acceptance, testing, and quality assurance. FINRA stated that it will examine firms' data governance, quality controls and reporting practices to make sure they are accurate, complete, consistent, and timely.

Cybersecurity. FINRA is examining firms' abilities to protect the confidentiality, integrity, and availability of sensitive customer and firm information. Depending on a firm's business and risk profile, FINRA recommends:

  • Governance – Firms should set up and implement a cybersecurity governance framework that supports informed decision-making and the ability to identify and manage cybersecurity risks. The framework should include defined risk-management policies, processes, and structures, coupled with relevant controls tailored to that firm's risks and resources.

  • Risk Assessment – Firms should do regular assessments to identify cybersecurity risks associated with firm assets and vendors. FINRA views the risk assessment process as a key driver in a firm’s risk-management based cybersecurity program, and such a process should lead to changes in a firm’s controls to remediate identified risks. Examples include adding anti-virus or e-mail content analysis software and setting up system restore processes.

  • Incident Response – Firms should provide a framework to manage a cybersecurity event in a way that limits damage, increases stakeholder confidence, and reduces recovery time and costs. A firm’s response plan should address different attack scenarios since they can come from many different directions.

Going forward, FINRA will focus on the cybersecurity areas of governance, risk assessment, and incident response, as well as technical controls, vendor management, data loss prevention, and staff training.

Primary Sources

  1. Cadwalader Transcription of Podcast

Related Articles

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity Supervision / Compliance
Regulated Entities
Broker-Dealers
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
FINRA / MSRB / SEC Exchanges / SIPC / Accountants
Sub-Author
FINRA