Lessons from FINRA’s 2019 Report on Examination Findings and Observations

The Financial Industry Regulatory Authority published its 2019 Report on Examination Findings and Observations (2019 Report) on October 16, 2019. This marks the third annual report of FINRA findings, but in a departure from the prior reports, the 2019 Report distinguishes “findings” (determinations that a firm or registered person has violated SEC, FINRA or other relevant rules) from “observations” (suggestions as to how a firm might improve its control environment, communicated separately from a formal examination report).

Firm Operations

The 2019 Report focuses on cybersecurity, business continuity plans (BCPs) and fixed income mark-up disclosure. Noteworthy examination findings and observations include:

  • Cybersecurity: To help firms improve their cybersecurity programs, and potentially their Regulation S-P compliance, FINRA identified a number of practices that some firms have implemented to enhance their cybersecurity risk-management programs. These practices include:

    • Maintaining branch-level written cybersecurity policies, and establishing procedures to verify the implementation and functioning of such controls.

    • Documenting policies regarding vendor and third-party management

    • Establishing and testing written formal incident response plans (including tools to identify, classify, prioritize, track and close cybersecurity-related incidents).

    • Encrypting all confidential data wherever stored.

    • Implementing timely application of system security patches for critical firm resources (e.g., servers, network routers, desktops, laptops, software systems).

    • Implementing and maintaining “Policies of Least Privilege,” or other appropriate policies and procedures, to: grant system and data access only when required; and track access to data or systems (e.g., multi-factor authentication controls).

    • Maintaining a current inventory of critical information technology assets, which should include legacy assets that are no longer supported by vendors.

    • Implementing data loss prevention controls to protect sensitive customer information.

    • Providing robust cybersecurity training for registered representatives, third-party providers and consultants.

    • Implementing procedures that address the documentation, review, prioritization, testing, approval and management of hardware and software changes. MORE

Advisor Armor