Report Underscores FINRA’s Focus on Cybersecurity
View Debevoise Update
Key takeaways:
- On January 10, 2023, the Financial Industry Regulatory Authority (“FINRA”) published its 2023 Report on FINRA’s Examination and Risk Monitoring Program (the “Report”), which is intended to provide member firms with key considerations and observations to use in enhancing their compliance programs. The Report illustrates FINRA’s significant focus on cybersecurity, including its creation of the Cyber and Analytics Unit in August 2022.
- The Report reminds firms about cyber-related regulatory obligations, including Rule 30 of the U.S. Securities and Exchange Commission’s (“SEC”) Regulation S-P and Regulation S-ID (Identity Theft Red Flags), Exchange Act Rules 17a-3 and 17a-4 (Books and Records) as well as FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3110 (Supervision) and 3120 (Supervisory Control System).
- The Report provides firms with insights on what it considers effective practices that comply with cybersecurity regulatory obligations and address evolving cybersecurity threats. The Report covers a range of topics, such as risk assessments, written supervisory procedures, incident response planning, authorized system access, new account monitoring, data loss prevention, third-party vendor and supply chain risks, cloud computing, imposter domains, reporting suspicious activity and branch controls.