SEC and FINRA Cybersecurity Examination Priorities

On October 16, 2023, the Division of Examinations of the US Securities and Exchange Commission (SEC) announced its annual examination priorities¹ (2024 Priorities), indicating that cybersecurity remains a perennial priority focus area affecting multiple market participants, including broker-dealers and investment advisors. Similarly, in its 2023 Report on Examination and Risk Monitoring Program², the Financial Industry Regulatory Authority (FINRA) notes that cybersecurity is one of the principal operational risks facing broker-dealers and that FINRA expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model, and scale of operations.

This update provides a summary of the cybersecurity and operational resiliency priorities registrants and member firms can anticipate in the upcoming regulatory examinations.

Relevant Regulations and Regulatory Priorities

Based on the full scope of the examination priorities highlighted by the SEC and FINRA this year, registrants and member firms should note the following themes:

1. Information Security and Operational Resilience

Rule 30 of SEC Regulation S-P³ requires member firms to have written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Having proposed investment adviser cyber rules⁴ and changes to Regulation S-P5⁵ and recently finalized cyber rules for public companies,⁶  the SEC notes in the 2024 Priorities that it will continue to review registrants’ practices to prevent interruptions to “mission-critical” services and to protect investor data and assets. FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information)⁷ also applies to denials of service and other interruptions to member firms’ operations due to emergency or significant business disruption.

The regulators note the following factors that contribute to an increased risk to firms’ information security and operational resiliency:

• Lack of multifactor authentication for login access to the operational, email, and other systems for employees, contractors, and customers.
• Inadequate planning and design for the use of cloud-based systems and technology.
• Not enforcing and updating the firm’s cybersecurity written supervisory procedures.
• Not sufficiently logging or retaining business or technical data to effectively assist with the cyber events’ forensic analysis.
• Not maintaining an Incident Response Plan that includes guidance for common cybersecurity incidents (e.g., data breaches, ransomware infections, and account compromise or takeovers).
• Not having procedures for investigating cybersecurity incidents and considering whether a Suspicious Activity Report filing is required based on applicable guidance from the Financial Crimes Enforcement Network.

2. Identity Theft Prevention Program (ITPP)

Regulation S-ID (Identity Theft Red Flags)  requires member firms to develop and implement a written program to detect, prevent, and mitigate identity theft in connection with the opening or maintenance of “covered accounts.”⁹ Having recently published a risk alert¹⁰ on observations from compliance examinations related to identity theft prevention under regulation S-ID, the SEC indicates in the 2024 Priorities that it will consider whether registrants adequately train staff regarding their identity theft prevention program and relevant policies and procedures designed to protect customer records and information. 

In its Report, FINRA warns firms against implementing a generic ITPP not appropriately tailored to the firm’s size, complexity, and the nature and scope of the firm’s activities, and advises that firms periodically update their ITPPs to reflect changes in identity theft risks.

3. Branch Office Security Controls

Because many registrants consist of a main office and multiple other branch offices, the SEC will continue to look at practices to prevent account intrusions and safeguard customer records and information, including personally identifiable information, across multiple offices. This year’s findings from ongoing regulatory efforts include: 

• Lack of security controls and failure to respond to a breach of security controls that branch offices must follow while maintaining their own email, application systems, or servers.
• Failure to implement firms’ foundational security controls (e.g., anti-virus software, security patches) when allowing registered representatives to use personal devices for business.
• Not maintaining an inventory of all technology assets of branch offices to access the firm’s systems or data, including personal computers and servers.
• Lack of adequate training to branch office staff regarding how to respond to cyber events in the branch, including reporting the incident to the home office.
  

4. Third-Party Vendor Risk Management

 The SEC will continue to assess different vendor cybersecurity risk management topics, including risks associated with the use of third-party providers, the security and integrity of vendor products and services, how registrants identify and address risks to essential business operations, and an unauthorized use of such providers. Consistent with its mission to inform policy, the SEC will evaluate the concentration risk associated with the use of third-party vendors, including how registrants are managing this risk and the potential US securities markets impact. FINRA notes the following factors contributing to the lack of an effective vendor risk management system:

• Not maintaining a list of all third-party services and hardware and software components provided by the vendor. Inability to identify all such components and services in event of a security breach at a vendor.
• Lack of a third-party vendor risk assessment process during onboarding and periodically thereafter.

Effective Cybersecurity Practices

The regulators share the following effective practices that registrants and member firms have developed to mitigate the highlighted cybersecurity threats.  

Data Backups — Completing regular backups of critical data and systems and ensuring the backups are encrypted, stored off-network, and can be restored when needed. 
Risk Assessments — Regularly assessing the firm’s cybersecurity risk profile based on changes in the firm’s size, business model, and newly identified threats; regularly updating the firm’s cybersecurity and AML programs based on the assessments. 
Imposter Domains — Monitoring for imposter domains that pretend to represent the firm or a registered representative and maintaining procedures for responding to imposter domains reports.
Outbound Email Monitoring — Scanning outbound emails to identify and block sensitive customer information or confidential firm data sent to unauthorized recipients.
Secure Configurations — Ensuring that desktops, laptops, and servers are using current software systems with secure settings that expose only required services to reduce system vulnerabilities.
Log Management — Capturing log data from a broad set of sources and retaining it for a sufficient amount of time.
Branch Office Procedures — Limiting the use of branch-managed servers for email and other applications and, if branch-managed servers are permitted, ensuring adequate security controls are maintained.