The Financial Industry Regulatory Authority (FINRA) is putting broker-dealers on notice that vendor management of cybersecurity will be a hot topic in 2017.
In its Regulatory and Examination Priorities Letter highlighting areas FINRA plans to review in 2017 and “brief observations about common weaknesses we have observed while executing our regulatory programs,” the organization addressed operational risks of cybersecurity as one of the biggest risks facing firms.
Elements of cybersecurity that FINRA says it’s likely to review related to vendors include:
Data loss. FINRA wants broker-dealers to understand how their vendor’s handle data, including what data is sensitive, where it travels, and how it is stored. Broker-dealers need to have tools that enable monitoring and protection of their data, which is shared with their vendors.
Vendor management. Vendor relationships and controls are drawing notice. Of particular interest is vendor access to personally identifiable customer or employee data, or sensitive firm information.
Insider threats. FINRA specifically mentions vendors as a potential source of insider threats to sensitive information.
Electronic communication retention. The Securities and Exchange Act requires firms to properly preserve emails and other records, yet there have been times when email review and retention vendors have fallen short of this requirement.
The message is clear: Vendor management controls are not optional, especially when it comes to data and cybersecurity. Broker-dealers need to know which vendors hold critical information and what contract protections are in place to keep that data safe. They must also be sure vendors are aware of regulatory requirements and are obligated to follow them.
FINRA won’t let broker-dealers off the hook if a vendor causes a data breach or other regulatory violation. A strong vendor management program is increasingly a must-have.