Atkins: FINRA is looking very carefully at cybersecurity this year. It has already come up my clients’ exams. Rick Ketchum the CEO of FINRA has said publicly that FINRA believes cybersecurity is a very serious concern. Part of that is record retention and the ability to retain documents in WORM format and so on.
But the other part is protection of data. I have seen examiners starting to focus on protection of customer nonpublic information. Firms need to ask themselves “Are we permitting attachments on outgoing email that include customer date of birth, social security number?”, “Do we have a system in place that grabs and tracks that?”, “Are we encrypting files?” “If someone sends an unsecured file with name, address and social security number, is that considered a data loss?” “Do we have a process for reporting data losses?” Some of the states have very serious penalties for failure to report data loss. For example, Florida just changed its law, it’s now one of the toughest in the country. It’s also a sliding scale, the longer you go without reporting, the higher the sanction gets. So it can become a real problem.
Other questions to consider include “Are we blocking the ability of people to insert thumb drives and download their whole customer file and take it with them if they leave?”, “Have we protected customer non-public information in accordance with SEC Privacy of Consumer Financial Information (Regulation S-P)?”, and “When we retire old copy machines, do we have a process in place to preserve the hard drive?”
For cybersecurity, some of the focus of FINRA exams is fundamental, like having of strong passwords, other aspects are more complex. The fact that FINRA’s devoted an entire conference to cybersecurity for the last two years demonstrates its commitment in this area. MORE