Cybersecurity concerns are driving an evolution of financial regulations. Financial Industry Regulatory Authority CEO Robert Cook recently elaborated on what that evolution might look like. He believes self-regulators will need to be more vigilant about maintaining the client’s best interests, abiding by fiduciary requirements, and articulating customer relationships. To a certain extent, each of those issues is tied to cybersecurity.
Whatever changes are made in 2019 and beyond will add to existing Securities and Exchange Commission rules regarding data collection and usage. SEC rule 17a-3 mandates what records broker-dealers must keep, how long they must keep them, and what file formats are acceptable. SEC rule 17a-4 requires broker-dealers to store electronic records in a format that cannot be erased or rewritten and in an archive with the same properties. Based on the comments of regulators and the current cybersecurity landscape, it’s likely these rules will expand.
The Challenge Is Cumbersome
When the SEC originally began regulating electronic records, it was considering only email and a few other formats. Now, however, most communication happens electronically in the form of text messaging, enterprise collaboration tools, video conferencing, group chats, and other ephemeral formats. Because these communications often have to do with business matters falling under a regulatory umbrella, we should expect the financial services sector to face new requirements for preserving information.
Compliance is a major burden, and a breach of compliance has major consequences. Some firms are dealing with tens of millions of messages daily. While technology can automatically archive these messages, the process still requires a ton of human input and oversight.
In fact, compliance has been compared to a jobs program because it requires so much human labor. As the FINRA, SEC and other regulatory bodies begin to get serious about cybersecurity — especially with a backdrop of data breaches and increasingly sophisticated attacks — compliance will grow to become as much of a challenge as it is an obligation.
Responding to New Rules
As regulations evolve to meet the parameters of an ever-shifting cybersecurity landscape, it’s wise to keep best practices in mind. If you can commit to regularly reviewing and adopting those best practices, you’ll position yourself as an industry leader and stay on the right side of regulatory agencies. Here is a handful of ways to accomplish compliance:
- Update written supervisory procedures regularly. WSPs outline what data is collected, how it is interpreted and how it is stored. As regulations change, WSPs should be updated semi-annually at least (or quarterly at best). Working with a supervision interface that provides oversights into how WSPs are drafted and applied makes it easier for brokerages to manage these documents across client groups.
- Participate in a peer group. Participation in a FINRA group or another organization of peers should be considered mandatory. Financial regulations are necessarily byzantine, and compliance best practices are just as complicated. It will take time for both regulators and brokerages to establish how to enforce new rules and how to manage compliance. Working with a group of peers and insiders allows individual broker-dealers to access thought leadership and implement best practices as early as possible.
- Utilize outside expertise. Financial acumen and compliance expertise are two very different skill sets. Brokerages that rely entirely on their in-house resources to manage compliance may be lacking in manpower or perspective. Bringing in outside counsel ensures these brokerages are managing compliance as effectively and comprehensively as possible.
- Leverage the vendor. Vendors are already experts in archiving and supervision, and their solutions are targeted at common compliance pain points. These vendors are eager to provide solutions, not just products, which is why they are integral partners for any brokerage that is eager to both improve and expand its compliance efforts.
You may have heard a saying: “Thou shalt archive.” It’s certainly in the best interest of broker-dealers to store as much data as possible. Effective archiving leads to better services for clients, and it’s something future regulators will mandate. It might not be a requirement now, but it should be a priority.
David Wagner has more than 25 years of experience in the IT security industry. He serves as the president and chief executive officer of Zix, a leader in email security, and previously held leadership roles at Entrust for 20 years. With his IT security and leadership background, David offers a business perspective that enables company leaders to better understand evolving cyberattacks and prepare for future threats.