2024 FINRA Annual Regulatory Oversight Report – Cybersecurity

Announced on Jan 10th 2024.

The 2024 FINRA Annual Regulatory Oversight Report (the Report) provides member firms with insight into findings from FINRA’s Member Supervision,Market Regulation and Enforcement programs (collectively, “regulatory operations programs”). The Report reflects FINRA’s commitment to providing greater transparency to member firms and the public about our regulatory activities. (All information here is quoted from the report)

The report is attached in this link https://www.finra.org/sites/default/files/2024-01/2024-annual-regulatory-oversight-report.pdf

The 2021-2023 versions of the Report were published under its previous title (i.e., Report on FINRA’s Examination and Risk Monitoring Program). The new title represents FINRA’s ongoing efforts to increase both the integration among our regulatory operations programs and the utility of the Report for member firms as an information source they can use to strengthen their compliance programs.

As in the 2021-2023 Reports, this year’s Report addresses a broad range of topics. Notably, the Report introduces new content dedicated to crypto assets; new topics within the Market Integrity section (e.g., OTC Quotations in Fixed Income Securities, Advertised Volume); information related to artificial intelligence’s potential impact on firms’ regulatory obligations; and guidance concerning firms’ supervision and retention of off-channel communications.

Additionally, for each topical area covered, the Report continues to:
– identify the relevant rule(s)
– highlight key considerations for member firms’ compliance programs
– summarize noteworthy findings or observations from recent oversight activities
– outline effective practices that FINRA observed through its oversight activities
– provide additional resources that may be helpful to member firms in reviewing their supervisory procedures and controls and fulfilling their compliance

FINRA’s intent is that the Report be an up-to-date, evolving resource or library of information for member firms. To that end, the Report builds on the structure and content in the 2021-2023 Reports by adding new topics denoted NEW FOR 2024 and new material (e.g., new findings, effective practices) to existing sections where appropriate. (New material in existing sections is in bold type.)

 Key Sections of the report that describe the Cybersecurity obligations

 Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program reasonably designed to detect, prevent and mitigate identity theft in connection with the opening or maintenance of “covered accounts.”

New SEC Cybersecurity Rules

In July 2023, the SEC adopted rules requiring public reporting companies to disclose:

  • Material aspects of cybersecurity incidents they experience (e.g., nature, scope, timing, material impact) within four business days after the firm determines the incident is material
  • Material information regarding their cybersecurity risk management, strategy and governance on an annual basis.

In addition, in March 2023, the SEC proposed a cybersecurity risk management rule that, if adopted, would require member firms and other market participants to address cybersecurity risks, including by:

  • Establishing, maintaining and enforcing written policies and procedures that are reasonably designed to address cybersecurity risks
  • Providing the SEC with immediate written electronic notice of significant cybersecurity incidents.

Member firms that are “covered entities” would further be required to:

  • Include minimum specified elements in their written cybersecurity policies and procedures
  • Report to the SEC and update information about significant cybersecurity incidents
  • Publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar years.

For additional guidance, FINRA recommends:

  • FINRA Cybersecurity Advisory – SEC Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (September 21, 2023)
  • SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets (March 15, 2023)

Related ConsiderationsTechnology Management

Complexity of Business

  • Does your firm have supervisory controls for designing, implementing and monitoring the health and performance of technology solutions?
  • Has your firm established supervisory control reviews and metrics to measure control effectiveness?

Vendor Management

  • What process has your firm established to assess the risks associated with third-party vendors during the initial onboarding and on a regular basis thereafter? In the event there is a report of a security breach at a vendor, can your firm identify all components and services third parties provide?
  • Has your firm established supervisory controls for technology vendors’ business impact, including assessments and contingency plans?
  • Has your firm established supervisory controls to manage vendor offboarding, ensuring that former vendors’ access to systems, data and corporate infrastructure is revoked?

Change Management

  • Has your firm established supervisory controls to manage technology changes that include change risk assessments, rollback plans, change validations and change approval processes?
  • What type of testing does your firm perform before, and after, moving system and application changes into a production environment?
  • Does your firm have repeatable processes for root cause analysis, incident and problem management tracking and metrics reporting?

System Availability and Business Continuity

  • Has your firm established capabilities to prevent technology disruptions and respond to technology incidents, including assessing customer impact and remediation?
  • What controls has your firm implemented to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
  • How does your firm determine whether to maintain, refresh or retire its end-of-life products?

Cybersecurity Data Management

  • What steps has your firm taken to prevent a cybersecurity intrusion, such as a ransomware attack?
  • In the event your firm experiences an intrusion, how will it restore critical data from backups, as well as identify and recover customer information that was exfiltrated?
  • How does your firm protect sensitive customer information or confidential firm data from being exposed to, or copied by, nonauthorized individuals (including associated persons or “insiders” of your firm) or threat actors, including blocking unauthorized copying and monitoring sensitive data in outbound emails?

Cybersecurity Events

  • What steps has your firm taken to prevent a cybersecurity intrusion, such as a business email compromise, phishing or ransomware attack?
  • In the event your firm experiences an intrusion, how will it restore critical data from backups, as well as identify and recover customer information that was exfiltrated?

GRACE IT GRC and Vendor Risk web based solution

GRACE ITGRC Vendor Risk system can help establish an integrated approach to IT policies and procedures, Attestation, Training, IT Inventory, Data Privacy, Cybersecurity, Vendor Risk Assessments. Controls monitoring based on best practice frameworks like NIST. Vendor Due diligence and ongoing vendor monitoring can help manage all your vendors, their data privacy and security postures for your data. Incident response plans, incident management and incident dashboard for pattern analysis can help you stay on top of incidents small and big

GRACE offers the CISO, CTO and senior management a real time dashboard for seeing all the risks, issues, incidents, training, attestation, inventory of their data and its sensitivity, privacy protections in place as well as vendor risks and their mitigation to ensure boards and senior management can provide response to regulatory queries as well as show proof of their process to reduce cyber insurance costs

Above all, it provide monitoring of IT assets on a continuous basis to prevent incidents from happening and if they do catch them early, to reduce legal, reputation and regulatory risks and protect the organization and its clients from financial damage.

Here is a short video on our GRACE ITGRC Vendor Risk solution

We would love to hear from you about your challenges and help you with our GRACE IT GRC Vendor Risk solution