SEC and FINRA Exam Priorities

In their recent examination priorities letters, both the SEC and FINRA highlighted cybersecurity as an area of focus for 2015 exams.

In the SEC letter, the Office of Compliance Inspections and Examinations (OCIE) explained that it will continue its 2014 initiative to examine broker-dealers’ and investment advisers’ cybersecurity compliance and controls, and also plans to expand the initiative to include transfer agents. The SEC’s 2014 initiative involved examinations of broker-dealers and investment advisers that focused on the following areas: the entity’s cybersecurity governance, identification and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.

The FINRA letter states that examiners will review broker-dealers’ approaches to cybersecurity risk management, including their governance structures and processes for conducting risk assessments and addressing the output of those assessments. FINRA specifically plans to focus on firms’ approaches to ensuring compliance with Rule 17a-4(f) under the Securities Exchange Act of 1934 (which permits firms to store records electronically, provided that the media preserve the records exclusively in a non-rewriteable, non-erasable format) in the event of a cyber attack. FINRA also signaled that it will soon publish the results of its 2014 cybersecurity sweep.