The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year.

OCIE and FINRA have repeatedly recognized cybersecurity as an examination priority.  OCIE first identified cybersecurity as an examination issue in 2014 and FINRA first mentioned data security and online defense as an issue in 2008.  Today, U.S. financial institutions regularly face increasingly sophisticated cyberattacks that seek to access or acquire customer data illegally, disrupt operations and increase reputational risk.  In light of these threats, OCIE and FINRA have further developed and refined their cybersecurity examination priorities to better identify and mitigate cyber risks for market participants.  Details follow below.

SEC’s 2017 Examination Priorities

The SEC, through OCIE, publishes annual examination priorities to identify issues that present a risk to investors or capital markets.  For 2017, OCIE again listed cybersecurity as a market-wide risk and examination priority.  OCIE promises to “continue [its] initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.”

OCIE’s Examination Priorities for 2017 are available here.

FINRA’s 2017 Regulatory and Examination Priorities

In its latest Examination Priorities guidance, FINRA identified cybersecurity threats as “one of the most significant risks” that firms face in 2017.  Recognizing that cyber threats are dynamic and evolving, and that “there is no one-size-fits-all approach to cybersecurity,” FINRA stated that it would “tailor [its] assessment of cybersecurity programs to each firm” based on certain factors, such as its business model, size and risk profile.

FINRA also said it will focus on firms’ data loss prevention and vendor relationship management policies.  In assessing data loss prevention, FINRA plans to examine firms’ data storage policies, data flow, and the tools used to monitor and protect data.  With respect to examining management of vendor relationships, FINRA would review policies, consider whether vendors have access to sensitive firm data, and assess any controls put in place to protect firm data from insider threats.  FINRA also underscored two common vulnerabilities in cybersecurity controls that it has observed:  (i) password protections, encryption, network and system maintenance and physical security at branch offices tend to be weaker than at a firm’s headquarters; and (ii) some firms may not be complying with all or parts of Securities Exchange Act Rule 17a-4(f), which requires firms to preserve records securely, in a non-rewriteable, non-erasable format (the secure format is commonly called a “write once read many” or “WORM” format).

FINRA’s 2017 Annual Regulatory and Examination Priorities Letter is available here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.