Sign in
Follow

The NetWatcher FINRA Service for Small to Medium Businesses

Before we go into what the NetWatcher FINRA Services provides let's review what you need to know as an SMB about FINRA compliance.


The cornerstone of the cyber-security regulatory landscape is Regulation S-P. Rule 30 of Regulation S-P (referred to as the “Safeguard Rule”) and it requires registered broker-dealers, investment advisers and investment companies to establish written policies and procedures reasonably designed to
  1. Insure the security and confidentiality of customer records and information
  2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.“ 

See the full regulation here .

The Office of Compliance Inspection and Examinations (OCIE) recently  published a sample cyber-security examination document request in connection with its recent risk alert to help firms evaluate their “level of preparedness.”   You can find the document ( here ).

The document addresses various cyber-security issues, including:

  • Cyber-security governance (including, for example, written policies and procedures; periodic risk assessments of cyber-security threats and vulnerabilities; cyber-security insurance; and the allocation and communication of cyber-security responsibilities to firm personnel);
  • Protection of firm networks and information (including, for example, user access restrictions; system maintenance; data destruction policies; cyber-security incident response plans; security of removable and portable media; backup system testing; encryption; employee guidance and training; and periodic audits for compliance with information security policies);
  • Risks associated with customer on-line account access and email funds transfer requests (including, for example, customer authentication, detection of anomalous trade requests; and protection of stored personal identification numbers);
  • Risks associated with vendors and outsourcing (including, for example, how cyber-security risks are addressed in vendor contracts; vendor training; and cyber-security risk assessments of vendors);
  • Detection of unauthorized activity (including, for example, monitoring for potential cyber-security incidents; amassing and correlating data on cyber-security incidents; detecting malware and malicious code on networks and devices; detecting unauthorized users, devices, connections, and software on the firm’s network; and using data loss prevention software); 
  • Cyber-security breaches (including, for example, malware; denial-of-service attacks; unauthorized network access; fraudulent emails attempting to transfer customer funds or securities; software or hardware malfunctions that impair network or web resources; and theft, loss, or unauthorized use or access to customer information) and the firm’s responses thereto.

Both the SEC and FINRA are now engaged in active cyber-security “sweep” examinations of Firms.    Securities regulators have taken enforcement actions against firms based on cyber-security governance failures as well as failing to protect networks and non-public customer information with appropriate technology (including encryption, antivirus software and firewalls) and reasonable procedures.

Here are just a few examples:

  • A registered broker-dealer, investment adviser and transfer agent failed to implement enhanced security measures and procedures, despite experiencing a series of “hacking” incidents ( more )
  • A registered broker-dealer failed to employ adequate safeguards to ensure that data breaches involving confidential customer information were reported to the Compliance Department and Privacy Officer, as required by the firm’s procedures ( more )
  • A registered broker-dealer failed to investigate a data breach and sent inaccurate notifications to customers and registered representatives concerning the data breach (more)
  • The CCO of a broker-dealer failed to enhance cyber-security policies and procedures, despite being aware of three stolen laptop computers (one of which contained confidential customer information) and a representative’s misappropriated email access credentials ( more )

All signals also indicate that additional cyber-security regulation and increased cyber-security-related enforcement actions are on the horizon.  Just recently, SEC Commissioner Luis Aguilar has stated “with appropriate haste, [we will] consider what additional steps the Commission should take to address cyber-threats.” (read here for details)

So how can NetWatcher's FINRA Service help your Firm with FINRA  compliance?

Specifically we can help you with the following requirements outlined in the recently published OCIE  sample cyber-security examination document request :           

  • Detection of unauthorized activity (including, for example, monitoring for potential cyber-security incidents; amassing and correlating data on cyber-security incidents; detecting malware and malicious code on networks and devices; detecting unauthorized users, devices, connections, and software on the firm’s network; and using data loss prevention software).
and
  • Cyber-security breaches (including, for example, malware; denial-of-service attacks; unauthorized network access; fraudulent emails attempting to transfer customer funds or securities; software or hardware malfunctions that impair network or web resources; and theft, loss, or unauthorized use or access to customer information) and the firm’s responses thereto.

 

Comments

Powered by Zendesk