FINRA and the Securities and Exchange Commission have announced this year’s examination priorities. As in past years, firm technology is on their lists. Let’s review several of the technology areas mentioned by these two regulatory bodies so you and your firm can be better prepared.
Technology Governance: How does your firm manage its technology? Essentially, technology governance involves every product/solution and how your firm approaches the “controls” necessary for each type of system. For example, do you have clear roles and responsibilities for your employees and the technology systems that they use?
In addition, who has “admin” rights on the computers at your firm? Admin rights give everyone (and anyone) the ability to install programs including malware. Also, what process do you follow to implement and test technology changes and upgrades? This directly influences the overall stability of your systems.
Risk Assessment: An important component of this is how your firm oversees all aspects of your technology relationships, such as with partners and vendors. This includes how you evaluate whether you should do business with a provider, the information or data that they have access to, how you manage the ongoing relationship, and also the documentation of this entire effort and work.
Ultimately, your technology relationships are an extension of your firm, with varying degrees of “risk” depending on what the company does for your firm and how deeply involved the company is with your data and processes. Therefore, keep these details and distinctions in mind as you conduct your risk assessment evaluation for each technology relationship.
Cybersecurity: This is a big news topic, from systems being hacked to email fraud attacks to ransomware viruses to the theft of personal private information. Given the nature of cybersecurity and the variety and danger of the cyber-threats, it is critical that your firm’s policies and procedures continue to improve as we learn more on how to better protect our firm and clients.
Last year, the SEC published in its National Exam Risk Alert communication program the findings and guidance on cybersecurity based on an examination of different types of firms. This information can be used to help your firm better evaluate its overall cybersecurity protections and efforts.