What about cybersecurity?At an event a few weeks ago, I interviewed Mitchell Atkins about Financial Industry Regulatory Authority (FINRA) 2016 Exam Priorities. Atkins worked for FINRA for more than twenty years and now is Principal at FirstMark Regulatory Solutions, a consultant to FINRA-registered broker dealers, financial services firms, and investment advisers. An edited version of our conversation follows.
Belbey: Based on your broker-dealer clients’ exams experiences, what are you seeing as priorities from FINRA in 2016 so far?
Atkins: In January, FINRA releases its annual examination priorities letter to tell firms what examiners will looking for that year. One of the things that consistently appears in the priorities is supervision and supervisory controls. This year’s no different.
However, this year, the industry is in a little bit of an uproar as FINRA also said it plans to focus on the culture of compliance at firms. Firms are asking: “How do you measure culture?” and “What do we have to do to be compliant?”, “What rule specifically tells us how to do that?”.
Atkins: FINRA is looking very carefully at cybersecurity this year. It has already come up my clients’ exams. Rick Ketchum the CEO of FINRA has said publicly that FINRA believes cybersecurity is a very serious concern. Part of that is record retention and the ability to retain documents in WORM format and so on.
But the other part is protection of data. I have seen examiners starting to focus on protection of customer nonpublic information. Firms need to ask themselves “Are we permitting attachments on outgoing email that include customer date of birth, social security number?”, “Do we have a system in place that grabs and tracks that?”, “Are we encrypting files?” “If someone sends an unsecured file with name, address and social security number, is that considered a data loss?” “Do we have a process for reporting data losses?” Some of the states have very serious penalties for failure to report data loss. For example, Florida just changed its law, it’s now one of the toughest in the country. It’s also a sliding scale, the longer you go without reporting, the higher the sanction gets. So it can become a real problem.
Other questions to consider include “Are we blocking the ability of people to insert thumb drives and download their whole customer file and take it with them if they leave?”, “Have we protected customer non-public information in accordance with SEC Privacy of Consumer Financial Information (Regulation S-P)?”, and “When we retire old copy machines, do we have a process in place to preserve the hard drive?”
For cybersecurity, some of the focus of FINRA exams is fundamental, like having of strong passwords, other aspects are more complex. The fact that FINRA’s devoted an entire conferenceto cybersecurity for the last two years demonstrates its commitment in this area.