FINRA Sends Sweep Letters Asking Firms About Approach to Cybersecurity Threats
By Yin Wilczek
Feb. 7 –The Financial Industry Regulatory Authority has sent targeted sweep letters to almost 20 broker-dealers querying their approaches to managing cybersecurity risks, a spokesperson told Bloomberg BNA Feb. 7.
Among other questions, the survey asks the firms about their:
• approaches to information technology risk assessment;
• business continuity plans in case of a cyber-attack;
• organizational structures and reporting lines; and
• processes for sharing and obtaining information about cybersecurity threats.
Michelle Ong said the letters were sent to a “diverse group of firms with different business models.”
The survey was prompted by the fact that broker-dealers consistently have said, during discussions with FINRA, that cybersecurity is one of their top five risk concerns, Ong said. “We thought it was important to better understand what controls are in place, and identify best practices and areas of concern.”
Cybersecurity has become a top regulatory concern in the wake of high profile attacks on Target Corp. (20 SLD, 1/30/14), Neiman Marcus and other companies.
FINRA posted the sweep notice on its website Feb. 6. It said in the notice that it wants to better understand the types of cyber threats firms face, and their “risk appetite, exposure and major areas of vulnerabilities.” FINRA said it will share the survey findings with its members where appropriate.
FINRA and other regulators, including the Securities and Exchange Commission, conduct targeted examinations–known as sweeps–to gather information and to facilitate investigations. Data gathered from sweep letters–which are sent to select regulated entities based on various factors–helps the regulators focus their exams and learn more about emerging issues.
SEC Exam Priority
Meanwhile, SEC Chairman Mary Jo White testified Feb. 6 before the Senate Banking Committee that the agency’s National Examination Program has included cybersecurity as an examination priority for 2014.
In January, Jane Jarcho, NEP national associate director, said SEC examiners will be reviewing the resources expended by registrants on information security, their policies to ensure regular assessment of cybersecurity risks, and their policies to prevent, detect and respond to cyber attacks (21 SLD, 1/31/14). The examiners also will look at registrants’ plans for identity theft, lost information and business continuity, Jarcho said.
To contact the reporter on this story: Yin Wilczek in Washington at email@example.com
To contact the editor responsible for this story: Susan Jenkins at firstname.lastname@example.org
FINRA’s sweep notification is available at http://www.finra.org/Industry/Regulation/Guidance/TargetedExaminationLetters/P443219.
White’s testimony is available at http://www.sec.gov/News/Testimony/Detail/Testimony/1370540757488#.UvVcWJUo61s.