Cybersecurity alarms have brought financial institutions and regulators into common cause
For example, if an advisor fills out an account form while meeting a new client in a coffee shop, the form will likely get downloaded to a mobile device and then eventually get stored on another computer at a home office somewhere. Wherever the new account form is, whether it's at rest or in transmission, its safety is subject to risk, Stillman said.
“The more technology evolves, the more it poses challenges to how safe information is if it's stored outside of the solution that the broker-dealer has put into place,” he said. “But if the broker-dealer says ‘you must use our platform,’ that may rub people the wrong way.”
In a letter introducing the 2016 priorities, FINRA Chairman and CEO Richard Ketchum said a more formalized assessment of firm culture will help FINRA “better understand how culture affects a firm's compliance and risk management practices.”
While FINRA's priorities letter says the authority “does not seek to dictate firm culture,” it does want to evaluate individual firms and the regulatory resources devoted to them.
FINRA plans to assess five indicators of a firm's culture: whether control functions are valued within the organization; whether breaches are tolerated; whether the organization seeks to identify risk and compliance events; whether supervisors are effective role models of firm culture; and whether sub-cultures at branch offices and trading desks conform to overall corporate culture.
A January legal update from law firm Dechert LLP underlines how seriously regulators are now taking cybersecurity in their exams of broker-dealers and investment advisors. The law firm said that one week after the SEC issued its OCIE cybersecurity examination initiative in September 2015, the agency announced the settlement of an enforcement proceeding against an advisor for failing to establish cybersecurity policies and procedures, in violation of a rule designed to protect the privacy of consumer financial information.
The advisor, St. Louis-based R.T. Jones Capital Equities Management, agreed to settle charges that it failed to establish required cybersecurity policies and procedures prior to a breach that compromised the personally identifiable information of about 100,000 individuals, the SEC charged. R.T. Jones agreed to pay a $75,000 penalty for the July 2013 attack on its Web server by an unknown hacker who gained access and thus made thousands of the firm's clients vulnerable to theft.
For Darren Tedesco, managing principal of technology for Commonwealth Financial Network, whose large independent broker-dealer received and responded to the OCIE cybersecurity exam initiative, his firm never got a reply from the SEC.
“Sometimes no news is good news,” Tedesco said. “What was impressive was that the SEC was asking intelligent questions that no one had asked before about how data is secured. It's refreshing to see the regulators are asking the right questions about cybersecurity. They want to make sure data is protected appropriately.” MORE