Finra will examine some member firms to assess how they are protecting themselves from potential online threats, the broker-dealer regulator said in a notice posted on its website Thursday.
The Financial Industry Regulatory Authority Inc. said that it is trying to understand the dangers that lurk online for financial companies and their major information technology vulnerabilities. The regulator will review firms' cybersecurity preparation and supervision.
Finra is surveying about 20 firms across a variety of business models.
The regulator is launching the initiative because cybersecurity is consistently cited by member firms as one of their top five risks, according to Finra spokeswoman Michelle Ong.
(See: Which firms are most at risk for cyber-attacks?)
“Finra is conducting this assessment in light of the critical role information technology plays in the securities industry, the increasing threat to firms' IT systems from a variety of sources and the potential harm to investors, firms and the financial system as a whole that these threats pose,” the organization said in its
notice.
The move follows an announcement by the Securities and Exchange Commission last week that it will conduct cybersecurity examinations before the end of September.
Jane Jarcho, national associate director of the SEC's Office of Compliance Inspections and Examinations, told the audience at a compliance conference Jan. 30 that the commission will review the resources that firms devote to information security, their policies for assessing, preventing and responding to attacks and their systems guarding against identity theft and ensuring business continuity, among other areas.
Cybersecurity has long been a worry for the U.S. government and business. Its profile increased even more in recent weeks following massive customer data breaches at retailers Neiman Marcus, Target and possibly Michaels.
“The hackers are very slick,” said Jennifer Openshaw, president of Finect, a compliant social-media platform for financial advisers. “It's in everyone's best interest to be looking for new ways that investors can be harmed.”
Last year, the SEC approved a rule requiring investment advisers to implement identity theft programs.
“Think carefully about what policies you have in place to detect identity theft around customer accounts,” Norm Champ, director of the SEC Division of Investment Management, said at the Jan. 30 compliance event at the commission's headquarters in Washington.
“Cybersecurity is one of the top issues we're hearing about, David Grim, deputy director of the division, said later in the program.
Some advisory firms won't be prepared for the cybersecurity exams, Ms. Openshaw said.
Smaller firms may lack resources and bigger ones may be relying on outdated technology.
“The most important thing for advisers is to at least have a process — a method and frequency for checking on cyberthreats, protecting data and having a feedback loop to the company, should any problems happen,” she said.