FINRA Operational Risks – Cybersecurity 2017
Are you prepared? Can you pass the review?
FINRA published its Annual Regulatory and Examination Priorities Letter (the Priorities Letter)
“The annual Priorities Letter is useful for firms when reviewing their compliance and supervisory programs and framing issues to address.
Cybersecurity threats remain one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.1 FINRA recognizes there is no one-size-fits-all approach to cybersecurity, and we will tailor our assessment of cybersecurity programs to each firm based on a variety of factors, including its business model, size and risk profile.
Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors. FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools.
In some instances, we will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a number of factors, including a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access. We may also examine firms’ controls to protect sensitive information from insider threats. The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.”