After announcing that cybersecurity will be one of its 2014 examination priorities, FINRA wasted no time before commencing a sweep.  FINRA announced a Targeted Examination Letter to conduct an assessment of firms’ approaches to managing cybersecurity threats.

FINRA bases its concern on “the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.”  FINRA’s assessment will look into such cybersecurity related areas as:

  • approaches to information technology risk assessment;
  • business continuity plans in case of a cyber-attack;
  • organizational structures and reporting lines;
  • processes for sharing and obtaining information about cybersecurity threats;
  • training programs; and
  • contractual arrangements with third-party service providers.

FINRA hopes that the assessment will help it:

  1. better understand the types of threats that firms face;
  2. increase its understanding of firms’ risk appetites, exposure and major areas of vulnerabilities in their IT systems;
  3. better understand firms’ approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and
  4. share observations and findings with firms as appropriate.

Note that FINRA’s goals appear to be exclusively in the realm of “understanding” and “sharing,” and not to take formal or informal disciplinary action.  In view of the challenges and rapid developments in this area, FINRA’s role in gathering and sharing best practices is laudable.  Broker-dealers and, indeed, all financial institutions, should pay close attention to FINRA’s findings with a view to improving their systems.

But FINRA has already shown a willingness to pursue disciplinary action in this area – see our recent Client Alert – and firms should understand that FINRA could again take action based upon examination findings of deficient cybersecurity procedures.  As with any other compliance issues, the time for a firm to evaluate and improve its systems and procedures is now, so that it can demonstrate to examiners its conscientiousness and concern with investor protection.