A Guide to FINRA’s 2021 Compliance Goals

The Financial Industry Regulatory Authority (FINRA) recently published their 2021 Report on FINRA’s Examination and Risk Monitoring Program. The report contains insights for FINRA’s regulatory operations and is designed to guide the compliance efforts of member firms.

In the broadest sense, FINRA declares cybersecurity as “one of the principal operational risks facing broker-dealers,” expecting firms to develop “reasonably designed” cybersecurity programs and controls consistent with their risk profile, business model and scale of operations.

Financial organizations should look over the report to absorb the observations and implement the suggestions most relevant to them. In preparation for a deeper dive, here are some of the key takeaways related to cybersecurity.

Business Continuity Plans Are Expected

The U.S. Securities and Exchange Commission (SEC) requires companies to have written safeguards and procedures in place for the purpose of protecting customer data. The report points to FINRA Rule 4370, which states that businesses must keep a business continuity plan detailing the procedures for emergencies, like data breaches. This plan must be updated in response to significant changes in the business’s operation and must be reviewed annually to determine if any modifications are necessary.

FINRA includes specifications for what type of information should be included in the continuity plan including data back-up and recovery, records of financial and operational assessments, and communications with customers, regulators or employees. This plan must be approved by a member of senior management, who must also be responsible for conducting the annual review.

Much like privacy policies required by CCPA, FINRA expects its members to disclose this continuity plan to their customers upon account access as well as having it posted on their website and mailed to their customers upon request.

Encryption is Necessary

Many of the considerations highlighted go beyond just responding to attacks. FINRA stresses the importance of Data Loss Prevention, including encryption controls. Active measures should be taken to train employees of all levels on cybersecurity risks, especially ones that commonly target them, like phishing emails.

In addition, multi-factor authentication and other access management controls should be implemented. If the cybersecurity system goes through any changes requests and approvals, these should be documented consistently, much like any information technology problems and their remediation. Evaluation should not be limited to internal operations. Organizations should consider what controls it has in place to evaluate its vendors’ cybersecurity controls.

To get a sense of the type of problems those in the industry are facing, FINRA lists some common pitfalls observed in their exams. For example, FINRA warns against the common practice of not encrypting all confidential consumer data, such as Social Security numbers, or not keeping cybersecurity policies, inspection programs or automated monitoring programs on the branch level.

Training Should be a Priority

FINRA notes that many companies fail to provide employee training on cybersecurity risks and their roles on the prevention and mitigation of them. A common occurrence is companies not going far enough in engaging and evaluating their vendor’s cybersecurity programs, citing on-boarding, off-boarding and the disposal process for nonpublic personal information.

A policy mentioned is one of “least privilege”– a clear hierarchy to grant systems and data access only to those who need it and removing access when the need has been fulfilled. Those with administrative access should be tracked and monitored appropriately.

When facing application or technology changes, like upgrades, new vendors or system modifications, companies should take care to engage in sufficient supervisory oversight. Failing to do so can lead to firms violating other regulatory obligations.

FINRA takes it a step further and suggests effective practices based on observations for their regulatory exams:

• Cross-department collaboration to assess risk, monitor access, and identify or investigate violations of company policies or regulations regarding data;

• Creating a written response plan for cybersecurity incidents and a framework to identify, classify, prioritize and monitor these threats as they appear. These processes should be regularly tested;

• Applying system security patches to key firm technology used to access data;

• Keeping an inventory of technology assets, with details on the cybersecurity controls in place for each one;

• Creating a management process for application and technology changes.

In light of increases in cybersecurity incidents (ransomware, imposter websites, system outages, email takeovers), organizations should take a look at the full report to get a better grasp on the cybersecurity issues they face. This context can be key for identifying gaps you didn’t know were there and taking effective steps forward.