FINRA broker-dealers operate in one of the industries most frequently targeted by cyber criminals. In 2014 alone, there were numerous instances of highly-publicized cyber security and data breaches. And being a victim of these types of breaches comes with the added embarrassment of the negative press that invariably follows.
SEC Chair Mary Jo White in a speech earlier this year said about Cyber threats,
“This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And [the] director of the FBI, has testified that resources devoted to cyber-based threats are expected “to eclipse” resources devoted to terrorism.”
Fortunately, there is a significant amount of information available to broker-dealers that can help to ensure they are reasonably compliant with industry standards. FirstMark Regulatory Solutions conducts risk assessments in the area of cyber security and provides recommendations to broker-dealers that help to ensure compliance with industry requirements. Every broker-dealer has an obligation to protect customer information which is spelled out in the safeguarding standards of Regulation SP.
“…the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” – Gramm-Leach Bliley Act
Also, broker-dealers are required under FINRA’s supervision rule to have procedures that are reasonably designed to achieve compliance with rules applicable to each area of the firm’s business. Customer information protection is one of those areas. 
FirstMark advises clients on cyber security and customer data breach issues. With the former, security enhancements can include simple items such as restricting access to certain devices and technologies which can facilitate rapid transfer of large amounts of data (e.g. high speed data ports, copiers connected to the internet, portable media devices, etc.) to sophisticated penetration testing on a broker-dealer’s network. With the latter (data breaches), it is important to remember that many states have very significant penalties for failure to notify clients that their data has been compromised. For example, Florida implemented one of the toughest laws in the nation on July 1, 2014. An unreported breach could yield up to a $500,000 fine.
It is critical that broker-dealers are aware of these requirements and have procedures in place that are sufficient to address the risks inherent it their businesses. FINRA and the SEC have been conducting cyber-security sweep exams in 2014, and have indicated they will continue to do so going forward. For small firms, FINRA has created an excellent resource on cyber security that can be found here.
Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience in cyber security compliance and customer information protection. For help with your cyber security compliance, contact Mr. Atkins at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.