FINRA and the Securities and Exchange Commission continue their concerted efforts to ensure financial firms’ compliance with cybersecurity regulations. Both regulators have indicated that one of their primary concerns for the coming year is cybersecurity. In particular, FINRA intends to review firms’ approaches to cybersecurity risk management, examining one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training. In addition, FINRA will continue to examine firms’ ability to protect confidential client information, including compliance with SEC Regulation S-P. FINRA has continued its efforts to enforce cybersecurity requirements and will almost certainly increase efforts to hold firms accountable for violations in this regard moving forward.
Likewise, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued risk alerts for the past two years regarding the OCIE’s launch and follow-up summary of OCIE’s Cybersecurity Examination Initiative. As an example of the SEC’s increased scrutiny of firms’ cybersecurity measures, in 2015 the SEC instituted its first enforcement proceeding against a registered investment advisor for violations of Rule 30(a) of Regulation S-P, based on a failure to adhere to reasonable cybersecurity measures. Like FINRA, the SEC has indicated it will continue to take registered firms to task over this issue.
As both FINRA and the SEC have made clear, cybersecurity is at the top of their to-do lists — it should be at the top of investment firms’ lists as well. This article will look at the enforcement measures taken by both FINRA and the SEC regarding cybersecurity, and discuss best practices to navigate the challenging regulatory environment ahead.
What Is “Cybersecurity”?
Generally, FINRA takes a broad view and defines cybersecurity as the protection of investor and firm information from being compromised through — in whole or in part — electronic digital media (e.g., computers, mobile devices or Internet protocol-based telephony systems). “Compromised” refers to a loss of data confidentiality, integrity or availability.
FINRA understands that not all member firms will view the universe of issues impacted by FINRA’s definition of cybersecurity as within the scope of their respective cybersecurity programs. For example, some firms would address social engineering fraud (e.g., fraudulent wire transfers carried out through socially engineered phishing attacks) through their anti-fraud programs, rather than their cybersecurity programs. This article will focus on those issues commonly addressed through firms’ cybersecurity programs.
Underlying Rules and Regulations
FINRA’s enforcement actions regarding cybersecurity to date have sought to enforce NASD Rules 3010, 3011 and 3012; FINRA Rules 3110, 3310 and 2010; as well as Rule 30(a) of SEC Regulation S-P. The SEC also utilized Rule 30(a) of Regulation S-P in its recent enforcement action against a registered investment advisor regarding the advisor’s cybersecurity protocols. Thus, Rule 30(a) of Regulation S-P has become the rule of choice of regulators seeking to enforce cybersecurity requirements. Rule 30(a) of Regulation S-P states as follows:
(a) Every broker, dealer and investment company, and every investment advisor registered with the commission, must adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
Ensure the security and confidentiality of customer records and information;
Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Representative Enforcement Actions
FINRA has brought multiple enforcement actions related to cybersecurity, dating back as far as 2006. Here are some examples of enforcement actions brought by FINRA, which will serve to show the breadth of FINRA’s power to enforce its cybersecurity agenda.
In each of the FINRA enforcement actions described herein, the respondent firms entered into acceptance, waiver and consent agreements with FINRA, in which the firms neither admit nor deny the allegations, but consent to the entry of findings of fact as described in the orders for the purpose of the proceedings.
Department of Enforcement v. VCA Securities
In this enforcement action, FINRA alleged violations of NASD Conduct Rules 3010(a) and (b), 3012(a)(2)(B)(i) and FINRA Rule 2010 in connection with the hack of a VCA customer email account, which resulted in unauthorized letters of authorization (LOAs) and wire transfers to an unauthorized third-party bank account. In June 2014, an unauthorized user hacked the customer’s email account, impersonated the customer and emailed three unauthorized LOAs to VCA to transfer money to an unauthorized account. VCA completed the first two transfers before realizing that the third LOA was, in fact, unauthorized. VCA had trained its representatives to verbally confirm the authenticity of LOAs received by email before transmitting customer funds to third-party accounts; however, the firm did not incorporate this requirement into its written supervisory procedures. The VCA representative did not verbally confirm the first two LOAs, but did contact the customer regarding the third LOA. VCA reimbursed the customer and ultimately recovered $175,257.26 from the hacker’s third-party account.
FINRA found that VCA failed to establish, maintain and enforce an adequate supervisory system and adequate written supervisory control procedures reasonably designed to monitor the transmission of funds from customer accounts to third-party accounts. FINRA censured and fined VCA $35,000.
Department of Enforcement v. Sterne Agee & Leach
Here, FINRA alleged violations of Rule 30 of Regulation S-P, NASD Conduct Rule 3010 and FINRA Rule 2010 in connection with the inadvertent placement of the personal and confidential information of 352,551 customers at risk. An employee of the firm inadvertently left an unencrypted laptop in a public restroom and it was lost. The laptop contained highly sensitive files with account numbers, tax identification numbers, names and addresses of customers from a period of 21 years. Sterne Agee’s information security policy and standards did not require encryption of laptop hard drives, despite the fact that the firm had acknowledged the need for encryption of laptops years prior to the loss.