ARTICLE
16 February 2014

FINRA Announces A Sweep To Assess BDs’ Cybersecurity

MF
Morrison & Foerster LLP

Contributor

Morrison & Foerster LLP logo
Known for providing cutting-edge legal advice on matters that are redefining industries, Morrison & Foerster has 17 offices located in the United States, Asia, and Europe. Our clients include Fortune 100 companies, leading tech and life sciences companies, and some of the largest financial institutions. We also represent investment funds and startups.
Explore Firm Details
After announcing that cybersecurity will be one of its 2014 examination priorities, FINRA wasted no time before commencing a sweep.
United States Privacy
Photo of Daniel Nathan
Person photo placeholder
Authors

After announcing that cybersecurity will be one of its 2014 examination priorities, FINRA wasted no time before commencing a sweep.  FINRA announced a Targeted Examination Letter to conduct an assessment of firms' approaches to managing cybersecurity threats.

FINRA bases its concern on "the critical role information technology (IT) plays in the securities industry, the increasing threat to firms' IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose."  FINRA's assessment will look into such cybersecurity related areas as:

  • approaches to information technology risk assessment;
  • business continuity plans in case of a cyber-attack;
  • organizational structures and reporting lines;
  • processes for sharing and obtaining information about cybersecurity threats;
  • training programs; and
  • contractual arrangements with third-party service providers.

FINRA hopes that the assessment will help it:

  1. better understand the types of threats that firms face;
  2. increase its understanding of firms' risk appetites, exposure and major areas of vulnerabilities in their IT systems;
  3. better understand firms' approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and
  4. share observations and findings with firms as appropriate.

Note that FINRA's goals appear to be exclusively in the realm of "understanding" and "sharing," and not to take formal or informal disciplinary action.  In view of the challenges and rapid developments in this area, FINRA's role in gathering and sharing best practices is laudable.  Broker-dealers and, indeed, all financial institutions, should pay close attention to FINRA's findings with a view to improving their systems.

But FINRA has already shown a willingness to pursue disciplinary action in this area – see our recent Client Alert – and firms should understand that FINRA could again take action based upon examination findings of deficient cybersecurity procedures.  As with any other compliance issues, the time for a firm to evaluate and improve its systems and procedures is now, so that it can demonstrate to examiners its conscientiousness and concern with investor protection.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

Authors
Photo of Daniel Nathan
Daniel Nathan
Person photo placeholder
Ana-Maria Ignat
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More