We recently highlighted the Security and Exchange Commission’s 2014 OCIE Cybersecurity Initiative.  Not to be outdone, FINRA also released its Report on Cybersecurity Practices, which provided a much more in-depth report on cybersecurity.  Therein, FINRA offered its own insights into what it expects from firms’ cybersecurity risk management practices:

  • FINRA recommends that firms have a sound governance framework with strong leadership, including board- and senior-level engagement on cybersecurity issues.
  • Firms should conduct comprehensive risk assessments if external and internal threats, as well as asset vulnerabilities.
  • FINRA expects firms to implement sound technical controls, such as identity and access management, data encryption, and penetration testing.
  • FINRA recommends that firms develop, implement, and test incident response plans, which should include containment and mitigation, eradication and recovery, investigation, notification, and making customers whole.
  • Regarding the use of vendors, FINRA recommends that firms should establish appropriate contract terms and perform strong due diligence before and during the engagement.
  • FINRA emphasizes the need for training that is tailored to staff needs.
  • FINRA encourages firms to take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.

Firms that are deficient in any of these areas should review FINRA’s Report in detail and consult outside counsel regarding implementation of cybersecurity risk management practices to ensure compliance.  Not doing so leaves deficient firms open to more than just the increased threat of data breach – the SEC and FINRA could come down hard on firms that do not have a fulsome cybersecurity policy, either during an examination or after a breach.  Do not fall behind on cybersecurity.

For more information and resources related to cybersecurity, check out Fox Rothschild’s Privacy Compliance & Data Security blog.