Cybersecurity for Financial Services Firms
FINRA, the Financial Industry Regulatory Authority, has long issued compliance guidelines related to the electronic storage of records; following rules issued by the Securities and Exchange Commission (SEC). In the beginning, these compliance guidelines were mainly meant to allow for the retrieval of un-altered records should an examiner need to audit a transaction. Now, however, FINRA is taking a look at these guidelines to combat another threat – cybercrime.
SEC Rule 17a-4(f) allows for the electronic storage of records, as long as those records cannot be altered or erased. This was initially interpreted as a ‘write-once, read-many’ requirement (which was therefore very specific in terms of how to comply), but the SEC subsequently clarified the rule to allow any combination of hardware and software to be used that achieved the same result.
Noting that these records are not only critical to the ability of a financial firm to survive after a cyberattack, but that a cyberattack may destroy the reference data examiners may someday require. FINRA is adding a ‘survivabilty in the case of a cyber-attack’ component to determining whether a financial firm complies with SEC Rule 17a-4(f).
FINRA also began a broader study in 2014 to understand the cyberthreats faced by their members, and the current responses to those threats. The study included a review of the firm’s governance structures related to cybersecurity, and the use of risk assessments and understanding the results of those risk assessments. FINRA is expected to issue their report in 2015.
This fits in with the growing general awareness of vulnerabilities from cyber threats. Regulated financial firms have specific requirements due to the nature of the industry, and in transaction-based financial environments they fully understand that even a few moments of downtime can cripple a firm. But many of the basic best-practices apply as well: robust backup systems, offsite storage and retrieval, and system monitoring.
Sound Technology Services specializes in those systems for all industries, including financial services. FINRA-regulated firms, large or small, may not be compliant if you haven’t visited this topic recently. And looking forward, FINRA’s survivability interpretations may align requirements with best-practices from other industries.
FINRA-regulated firms should contact us to learn about the latest technologies that provide compliance, continuity, and security.