Finra is reviewing technology controls and cybersecurity programs of broker-dealer firms but is taking on a consultative approach, according to executives at the self-regulator.
Gregory Markovich, part of a cybersecurity specialist team at Finra, acknowledged at a conference this week that cybersecurity is “challenging” and “evolving,” and the self-regulator takes those factors into consideration when reviewing member firms.
“When we come on-site to do a review, we’re trying to help you understand what you should be doing, what some of the effective practices are in the industry,” Markovich, regulatory principal at the Chicago District Office’s Finra member supervision unit, said at the 2020 Cybersecurity Conference in New York City.
“Our end goal isn’t to write a bunch of exceptions or anything like that. It’s to help you identify any gaps that you have and help you improve your programs,” he added.
Finra has a six-member cybersecurity specialist team that conducts reviews, but the team also works with general examiners who also conduct cybersecurity reviews. The specialist team carried out nearly 50 reviews in 2019, while general examiners did close to 150 reviews, according to Markovich.
Both Finra and the SEC have issued warnings about cybersecurity risks.
Most recently, Finra identified cybersecurity as “an increasingly large operational risk” in its 2020 risk monitoring, surveillance and examination priorities letter.
In that letter, Finra said it will “thoroughly assess” whether its member-firms’ policies and procedures are “reasonably designed to protect customer records and information” consistent with its rules.
Finra noted in the letter that there is no one-size-fits-all approach to cybersecurity, but it expects firms to implement controls appropriate to their business model and scale of operations.
Concerns over branch office cyber controls
Branch office cybersecurity controls are among the common cybersecurity weaknesses observed by Salvatore Montemarano, an examiner at the SEC’s Office of Compliance and Inspections.
While firms can have strong policies and procedures at the headquarters-level and provide guidance for the branch offices, there is still a “significant gap” in security controls for branch offices, Montemarano said at the conference.
“In some cases, it can be critical because in some cases, client data resides in these branch offices,” he said.
Cybersecurity risks at branch offices were also identified by Finra in a cybersecurity practices report in December 2018.
Dave Kelley, surveillance director at the Kansas City District Office’s Finra member supervision unit, noted at the conference that branches are buying their own equipment, setting up their own software and cybersecurity.
“It maybe some kid down the street that’s doing it for them and they don’t really understand security,” Kelley said.
SEC’s Markovich said establishing cyber controls may be easier now that more tools are available, including monitoring desktops at branch offices from the home office to ensure controls are in place.