FINRA and the Securities and Exchange Commission have announced this year’s examination priorities. As in past years, firm technology is on their lists. Let’s review several of the technology areas mentioned by these two regulatory bodies so you and your firm can be better prepared.
Technology Governance: How does your firm manage its technology? Essentially, technology governance involves every product/solution and how your firm approaches the “controls” necessary for each type of system. For example, do you have clear roles and responsibilities for your employees and the technology systems that they use?
In addition, who has “admin” rights on the computers at your firm? Admin rights give everyone (and anyone) the ability to install programs including malware. Also, what process do you follow to implement and test technology changes and upgrades? This directly influences the overall stability of your systems.
Risk Assessment: An important component of this is how your firm oversees all aspects of your technology relationships, such as with partners and vendors. This includes how you evaluate whether you should do business with a provider, the information or data that they have access to, how you manage the ongoing relationship, and also the documentation of this entire effort and work.
Ultimately, your technology relationships are an extension of your firm, with varying degrees of “risk” depending on what the company does for your firm and how deeply involved the company is with your data and processes. Therefore, keep these details and distinctions in mind as you conduct your risk assessment evaluation for each technology relationship.
Cybersecurity: This is a big news topic, from systems being hacked to email fraud attacks to ransomware viruses to the theft of personal private information. Given the nature of cybersecurity and the variety and danger of the cyber-threats, it is critical that your firm’s policies and procedures continue to improve as we learn more on how to better protect our firm and clients.
Last year, the SEC published in its National Exam Risk Alert communication program the findings and guidance on cybersecurity based on an examination of different types of firms. This information can be used to help your firm better evaluate its overall cybersecurity protections and efforts.
Business Continuity Planning: Given the size and scope of the several weather events that have occurred over the past 12 months, many firms have had their business continuity plans (BCP) called into action. Make sure your firm’s BCP is a living document that addresses multiple types of disruption challenges.
The technology your firm owns along with your outside technology relationships all play critical roles in the BCP. However, how you “back-up” or recover each system could be different, and they all need to be regularly tested.
For example, dealing with a corrupted file server or database versus your phone system going offline could entail very different BCP action steps. Think them through, outline your response paths, and keep your continuity plan up to date.
Training: This area may require more attention than it gets at your firm. Although you might spend a lot of money on the best technology systems, without an adequate training program and knowledgeable staff, there is no technology system available that will stop every fraud attempt, virus attack, etc.
This is why your firm’s training program in conjunction with your policies and procedures goes hand in hand with the investment in your technology systems. Also, remember to test the effectiveness of the training program. It is not about the actual time spent, but whether the information becomes a part of the DNA and behavior of your employees.
Each technology area involves regulatory rules and guidelines that apply to your firm. That alone should get your attention, regardless if your firm is audited this year or next. Of course, it all makes good business sense, too.
Dan Skiles is the president of Shareholders Service Group in San Diego. He can be reached at firstname.lastname@example.org.