Preparing for upcoming exams – The intersection of SEC and FINRA 2021 priorities
On 1 February 2021, FINRA issued its 2021 Report on FINRA's Examination and Risk Monitoring Program ("FINRA Report") and a bit more than a month later, the SEC’s recently renamed Division of Examinations issued its own 2021 Examination Priorities ("Exam Priorities"). Each of these documents is quite long, with the FINRA report at 44 pages and the Exam Priorities document at 36 pages, and although there are some differences in focus and scope, we did find some common themes, which we have chosen to highlight in what we hope will be a helpful summary.
In brief
On 1 February 2021, FINRA issued its 2021 Report on FINRA’s Examination and Risk Monitoring Program (“FINRA Report“) and a bit more than a month later, the SEC’s recently renamed Division of Examinations issued its own 2021 Examination Priorities (“Exam Priorities“). Each of these documents is quite long, with the FINRA report at 44 pages and the Exam Priorities document at 36 pages, and although there are some differences in focus and scope, we did find some common themes, which we have chosen to highlight in what we hope will be a helpful summary.
Cybersecurity and operational resiliency
Registrants should continue to monitor their operational cybersecurity compliance and business continuity plans in light of the effects of the ongoing pandemic. They also should take into account the effects of climate change on their business continuity plans.
The effects of the pandemic and the resulting risks from remote work and operations environment
As described in each of their recent examinations documents, both the SEC and FINRA expect registrants to calibrate their cybersecurity compliance and business continuity plans to take into account the greater risks from a remote work and operations environment.
For instance, according to the SEC Exam Priorities, the pandemic has heightened the SEC’s concern with endpoint security, data loss, remote access, use of third-party communication systems, and vendor management. Similarly, the FINRA Report disclosed greater concerns with cybersecurity risks associated with the remote work environment combined with what FINRA observed to be an increase in cyber-related crimes. In particular, FINRA observed higher numbers of cybersecurity incidents including system-wide outages, email and account takeovers, fraudulent wire requests, imposter websites and ransomware.
With these concerns in mind, in the upcoming year, the SEC Examination Staff will review whether firms have taken appropriate steps to:
safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
oversee vendors and service providers;
address malicious email activities, such as phishing or account intrusions;
respond to incidents, including those related to ransomware attacks; and
manage operational risk as a result of dispersed employees in a work-from-home environment.
FINRA will similarly review cybersecurity programs for compliance with business continuity plan requirements, as well as the SEC’s Regulation S-P Rule 30, which requires maintenance of policies and procedures for the protection of customer records and information.