The SEC and FINRA have continued to designate cybersecurity as an exam priority. Both the SEC and FINRA have also recently published the findings of their exam sweeps. As reported by the Investment News, the results of those sweeps when it comes to cybersecurity are telling.
The sweeps show that firms, much like with compliance, are not but must set the tone at the top when it comes to data security. In order to have a successful cybersecurity programs, data security has to be a firm-wide concern, not just a creature of the IT department.
Of additional interest are the differences between brokers and investment advisors. Although the majority of all firms have written policies on cybersecurity, more brokers than investment advisors audit those policies to determine firm compliance, which raises a fundamental issue. A policy is only as good as those who stand behind it and ensure compliance with it.
Firms should expect little sympathy from their regulators if they think that only having a written policy on cybersecurity is enough. Undoubtedly, the SEC and FINRA will want to know what you have done to ensure compliance with those policies.
So what should firms do to avoid this impending wrath? First, make sure you have robust written policies that address cybersecurity from a firm-wide standpoint. Second, deploy the resources necessary to ensure that you are executing on those policies.
Although no data security program is perfect, make sure you have one and enforce it. Protect your clients. Protect your firm. And avoid regulatory sanctions in the process.
* photo from freedigitalphotos.net