Cybersecurity Announced as a 2015 Exam Priority by the SEC and FINRA

In January 2015, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each announced their 2015 examination priorities, and both agencies emphasized cybersecurity as a primary exam focus (SEC Examination Priorities, FINRA Examination Priorities).

The SEC has designated cybersecurity as a market-wide risk in its examination priorities letter, underscoring how important the SEC believes cybersecurity is to the integrity of the market system and to customer data protection. Last year, the SEC examined investment advisors’ and broker-dealers’ cybersecurity compliance and controls. In 2015, the SEC will continue these efforts and will extend them to transfer agents.

FINRA will prioritize firms’ cybersecurity risk management approaches in its exams. This review will include firm governance structures, as well as processes for conducting risk assessments and addressing the output of those assessments. Due to the danger that cyberattacks likely will destroy firm and customer data, FINRA examiners will also evaluate how firms ensure compliance with SEC Rule 17a-4(f) in the event of a cyberattack. Rule 17a-4(f) permits firms to store records electronically provided that the media preserves “the records exclusively in a non-rewriteable, non-erasable format.”

The SEC and FINRA each launched cyber security examination sweeps in 2014 to better understand the types of threats posed by cyberattacks and to assess cybersecurity preparedness (SEC Security Initiative, FINRA Targeted Cyber Security Examination Letter). FINRA has announced that it will publish the results of its sweep in early 2015, while the SEC has not announced whether it will publish its findings.