Third party providers present the largest cyber risks that firms face. The risks have only grown as firms rely more and more on these providers and because many of them are not willing to remain contractually liable for the increased risks.

Having a dedicated and well documented third-party vendor risk management program is a good way to vet third party providers, thereby limiting some of the risk, and demonstrate compliance with related legal obligations. Part of that program should…

This settlement highlights the growing importance of conducting a "lessons learned" after a cyber incident has occurred and been remediated. A cyber incident can be considered a warning sign of larger security problems within the organization and recovery should always include a harder look at what other gaps and vulnerabilities exist within the same (and include a fresh look at the organizations compliance posture with related laws and regulations). It is also a good reminder that this…

This is another example of how regulatory agencies are identifying and closing gaps within their own information systems. FINRA, like the SEC, has been looking at cybersecurity and privacy concerns more closely in the last few years and, as a result, has been releasing publications and new rules aimed at shoring up the same. This focus on privacy and cybersecurity concerns will continue. For firms that are worried about future-proofing their compliance programs, a good rule of thumb is to…

FINRA's Regulatory Notice provides helpful reminders on general regulatory considerations, but also suggests that FINRA, like most regulators, is struggling to fit this emerging technology squarely into the box of existing regulation. The conclusion, for now, is that existing regulation is sufficient to address the use of AI for members; but looking ahead, it is likely that more regulation is coming.

The takeaway from this guidance is that members should ensure that their use and…