The Financial Industry Regulatory Authority (FINRA) has, of late, been very aggressive in enforcing its regulations in the area of cybersecurity. FINRA took a strong stance on cybersecurity earlier this year when it fined a financial firm for failing to adequately protect customer data from cybersecurity threats. FINRA attacked the sufficiency, and in particular the specificity, of the firm’s written security policy.
And with a series of Letters of Consent on December 20, 2016, FINRA showed no signs of softening its aggressive stance on cybersecurity compliance — levying fines totalling $14 million against 12 firms. This time, FINRA’s focus turned to record-keeping requirements.
FINRA took aim at 12 firms’ failure to adequately preserve electronic records. SEC and FINRA rules (including Exchange Act 17a-4(f)(2)(ii) and FINRA Rules 4511 and 2010) require member firms to maintain certain electronic records in a non-erasable, non-rewritable format referred to as WORM (an acronym for the “Write Once, Read Many” nature of such records).
FINRA explained that WORM format requirements were essential to FINRA’s investigative duties. FINRA noted how the volume of sensitive financial data stored electronically by members had risen exponentially in the past decade. This increase in the amount of sensitive information stored by FINRA members coincides with increasingly aggressive attempts to hack into electronic data repositories. This combination of large caches of sensitive information stored by members and aggressive attempts to gain unauthorized access to that information mandates that such information be stored in a way that preserves the information even if improperly accessed. And, as FINRA explained, because these documents were absolutely essential to any FINRA audit or investigation, preserving them in a manner that maintained the integrity of the information found in those documents is absolutely critical.
FINRA found that the each of the 12 fined firms failed to follow required document retention regulations. While all 12 firms failed to retain millions (and in some cases hundreds of millions) of records in the required WORM format, some failed in other related ways. Some failed to have adequate systems for auditing or overseeing compliance with the document retention requirements. Others failed to obtain required attestations from backup vendors requiring those vendors to provide the firm’s records to regulators if the firms were unable to do so.
FINRA has sent a clear message to member firms that it is very serious about enforcing its cybersecurity regulations. Requirements to protect personal information as well as to preserve necessary evidence are not being taken lightly by FINRA. By levying fines ranging from $500,000 to $4 million in the most recent cases, FINRA has sent a clear message that its regulations are to be followed or expensive penalties will follow.
What remains to be seen is what, if any, changes may come with the new administration in 2017. Only time will tell whether FINRA will continue its aggressive enforcement actions or if we will see a softening of FINRA’s actions.