It is not only the Federal Trade Commission, State Attorneys General and Congress that are focused on data and cybersecurity these days. The Financial Industry Regulatory Authority (“FINRA”), an independent private organization that regulates member brokerage firms and exchange markets, is joining the fray, recently announcing that it has sent “sweep” letters to a number of broker-dealers posing questions on their cybersecurity practices. (A “sweep” letter is a targeted examination by FINRA and other regulators that is used to carry out investigations and gather information so that the regulator may focus its examinations and pinpoint regulatory responses to emerging issues.)
If successful, these sweep letters will allow FINRA to:
- obtain a better understanding of the types of threats that firms face;
- increase its understanding of firms’ appetite for risk and exposure and the major vulnerabilities in their IT systems;
- better understand firms’ approaches to managing cyber threats, including through the risk assessment process, IT protocols, application management practices and supervisions; and
- share observations and findings with other firms.
Interest in data and cybersecurity appears to be at an all time high with the recent high profile and significant breach involving Target, the re-introduction of a federal data security breach notification law, and a recent lawsuit filed by the California Attorney General against Kaisier Foundation Health Plan for an alleged failure to provide a timely breach notification.
According to the FINRA release concerning the cybersecurity sweep letters, the assessments will address a variety of areas related to cybersecurity, including firms’:
- approaches to information technology risk assessment;
- business continuity plans in case of a cyber-attack;
- organizational structures and reporting lines;
- processes for sharing and obtaining information about cybersecurity threats;
- understanding of concerns and threats faced by the industry;
- assessment of the impact of cyber-attacks on the firm over the past twelve months;
- approaches to handling distributed denial of service attacks;
- training programs;
- insurance coverage for cybersecurity-related events; and
- contractual arrangements with third-party service providers.
FINRA plans to report back to the industry about its findings and will then ideally provide cybersecurity guidance to its members.