December 22, 2016

FINRA Penalizes Firms $14.4 Million for Cybersecurity Deficiencies

In the most recent example of the increasing regulatory scrutiny of cybersecurity preparedness, the Financial Industry Regulatory Authority (“FINRA”) fined twelve firms a total of $14.4 million for violations of recordkeeping provisions under Section 17(a) of the Exchange Act and Rules 17a-3 and 17a-4 thereunder, NASD Rules 3110(a) and 2110, and FINRA Rules 4511 and 2010, as well as supervisory violations under NASD Rule 3010(b) and FINRA Rule 3110(b). The violations specifically related to failures to preserve broker-dealer and customer records in a non-erasable, non-rewritable electronic format known as “write once, read many” (“WORM”) format, and to establish, maintain, and enforce written supervisory procedures reasonably designed to achieve compliance with Rule 17a-4 WORM requirements.

As an additional condition to the Letters of Acceptance Waiver, and Consent (“AWC”), the firms have undertaken to review their policies and procedures, submit a plan to FINRA for review and approval within 60 days, and then adopt and implement the approved policies and procedures. Settling firm CCOs must provide written certifications to FINRA within 180 days from the date of settlement that the approved policies and procedures have been implemented.

Under federal securities laws and FINRA rules, broker-dealers must keep business-related electronic records in WORM format in order to safeguard customer data and prevent alteration of the records. According to the SEC, anti-alteration safeguards such as WORM formatting are essential to investor protection because a firm’s books and records are the “primary means of monitoring compliance with applicable securities laws, including antifraud provisions and financial responsibility standards.”1

The volume of sensitive electronic data stored at member firms has increased dramatically in recent years, as have the number and scale of attempts to breach firms’ cybersecurity defenses. The SEC and FINRA have responded by devoting more attention to cybersecurity, as detailed by past client memoranda available here. Brad Bennett, FINRA’s Chief of Enforcement, made clear that the regulatory focus on cybersecurity would continue, despite his announced departure. In emphasizing the importance of the AWC process in safeguarding clients and investors, Bennett noted that “[e]nsuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.”

FINRA’s announcement of a cluster of cybersecurity cases on one day is also noteworthy to the extent it signals FINRA is pursuing “message” enforcement actions, as the SEC has done with success under Chair Mary Jo White. These cases underscore that the SEC and FINRA are heavily focused on the importance of cybersecurity readiness among broker-dealers and other regulated entities.

Click here to download this article.

1  SEC Interpretation: Electronic Storage of Broker-Dealer Records, Rel. No. 34-47806, May, 12, 2003, available here.