Finra is reviewing technology controls and cybersecurity programs of broker-dealer firms but is taking on a consultative approach, according to executives at the self-regulator.

In this post, we analyze the highlights in and our takeaways from the 2020 Priorities.

“OCIE’s 2020 examination priorities identify key areas of risk, both existing and emerging, that we expect self-regulatory organizations (SROs), clearing firms, investment advisers and other market participants to identify and mitigate,” SEC Chairman Jay Clayton says in a statement.

In the first half of 2019, data breaches increased by 54% compared to the first six months of 2018, according to a study by Risk Based Security. The amount of data breaches in the headlines has only increased in recent months, and as we look ahead to 2020, I expect to see more of the same.

The question is, are hackers really getting that much better at cyberattacks, or is it that organizations still aren't taking the steps needed to reduce their risk and exposure to the threats they are facing? I think it's a mixture of both. But certainly, the fact that three out of four organizations aren't providing basic cybersecurity training to their employees, according to a survey my company did with Censuswide, isn't helping things. The easier people make it for cyberattackers to exploit weak cyberpractices, the more we're going to see hackers take the easiest way into an enterprise.

Financial advisers don't want to talk about cybersecurity.

Firm Operations:

The 2019 Report focuses on cybersecurity, business continuity plans (BCPs) and fixed income mark-up disclosure. Noteworthy examination findings and observations include:

At a recent cybersecurity conference in New York City, there was a sterling panel of attorneys and executives from almost every branch of the federal and New York state governments who somehow touch upon the topic of cybersecurity. This included representatives from the Securities and Exchange Commission (SEC), the Federal Bureau of Investigation, the U.S. Attorney’s office for the Southern District of New York, the Federal Trade Commission, and the New York State Department of Financial Services (NYDFS). Rarely do you see every one of these agencies and departments on the same panel, let alone in the same room.

As advisory firms face risks of phishing, ransomware, email viruses and other targets, there’s one key way for them to know if they’re prepared: Put their systems to the test.

• Top-ranking firms are adding technology and insurance to protect their businesses from such events, and training employees to spot the risks.

• Having detailed strategies not only help firms stay in good standing with regulators, but also gives them a blueprint of what to do if a breach ever occurs.

While most professionals living in the modern world understand the importance of cybersecurity, far fewer people ascribe adequate significance to cyber-resilience. In fact, many folks do not understand the important difference between the two disciplines – a deficiency that sometimes leads to unnecessarily tragic outcomes after data breaches.