2021 Cybersecurity and Technology Governance Regulatory Obligations
The SEC’s Regulation S-P Rule 30 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information. FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers, and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.
Technology-related problems, such as problems in firms’ change- and problem-management practices, can expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3110 (Supervision) and 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.
Related Considerations
What kind of governance structure has your firm developed to identify and respond to cybersecurity risks?
What is the scope of your firm’s Data Loss Prevention program, including encryption controls?
How does your firm address branch-specific cybersecurity risks?
What kind of training does your firm conduct on cybersecurity, including phishing?
What process does your firm have to evaluate your firm’s vendors’ cybersecurity controls?
Has your firm implemented multi-factor authentication (MFA) or other relevant access management controls?
What controls does your firm implement to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
How does your firm document system change requests and approvals?
What type of testing does your firm perform prior to changes being moved into a production environment and post-implementation?
What are your firm’s procedures for tracking information technology problems and their remediation? Does your firm categorize problems based on their business impact?
Exam Observations and Effective Practices
Exam Observations
Data Loss Prevention Programs – Not encrypting all confidential data, including a broad range of non-public customer information in addition to Social Security numbers (such as other account profile information and firm information).
Branch Policies, Controls and Inspections – Not maintaining branch-level written cybersecurity policies; inventories of branch-level data, software and hardware assets; and branch-level inspection and automated monitoring programs.
Training – Not providing comprehensive training to registered representatives, personnel, third-party providers and consultants on cybersecurity risks relevant to individuals’ roles and responsibilities, including phishing.
Vendor Controls – Not implementing and documenting formal policies and procedures to review prospective and existing vendors’ cybersecurity controls and managing the lifecycle of firms’ engagement with all vendors (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of non-public client information).
Access Management – Not implementing access controls, including developing a “policy of least privilege” to grant system and data access only when required and removing it when no longer needed; not limiting and tracking individuals with administrator access; and not implementing MFA for registered representatives, employees, vendors and contractors.
Inadequate Change Management Supervision – Insufficient supervisory oversight for application and technology changes (including upgrades, modifications to or integration of firm or vendor systems), which lead to violations of other regulatory obligations, such as those relating to data integrity, cybersecurity, books and records, and confirmations.
Limited Testing and System Capacity – Order management system, account access and trading algorithm malfunctions due to a lack of testing for changes or system capacity issues.
Effective Practices
Insider Threat and Risk Management – Collaborating across technology, risk, compliance, fraud, and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access or data accumulation.
Incident Response Planning – Establishing and regularly testing written formal incident response plans that outlined procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity-related incidents.
System Patching – Implementing timely application of system security patches to critical firm resources (e.g., servers, network routers, desktops, laptops and software systems) to protect non-public client or firm information.
Asset Inventory – Creating and keeping current an inventory of critical information technology assets—including hardware, software and data—as well as corresponding cybersecurity controls.
Change Management Processes – Implementing change management procedures to document, review, prioritize, test, approve, and manage hardware and software changes, as well as system capacity, in order to protect non-public information and firm services. SOURCE