A Small Entity Compliance Guide: Final Model Privacy Form Under the Gramm-Leach-Bliley Act
The model privacy form is designed to make it easier for consumers to understand how financial institutions collect and share their personal financial information and to compare different institutions' information practices. For a guide to implementing these procedures visit: https://www.sec.gov/divisions/marketreg/tmcompliance/modelprivacyform-secg.htm
FINRA Report on Cybersecurity Practices
Like many organizations in the financial services and other sectors, broker-dealers (firms) are the target of cyberattacks. The frequency and sophistication of these attacks is increasing and individual broker-dealers, and the industry as a whole, must make responding to these threats a high priority.
A variety of factors are driving firms’ exposure to cybersecurity threats. The interplay between advances in technology, changes in firms’ business models, and changes in how firms and their customers use technology create vulnerabilities in firms’ information technology systems. For example, firms’ Web-based activities can create opportunities for attackers to disrupt or gain access to firm and customer information. Similarly, employees and customers are using mobile devices to access information at broker-dealers that create a variety of new avenues for attack.
The landscape of threat actors includes cybercriminals whose objective may be to steal money or information for commercial gain, nation states that may acquire information to advance national objectives, and hacktivists whose objectives may be to disrupt and embarrass an entity. Attackers, and the tools available to them, are increasingly sophisticated. Insiders, too, can pose significant threats.
In February 2015, FINRA issued a report intended to assist firms in making responding to cybersecurity threats a priority. The report is based on FINRA’s 2014 targeted examination of firms and other related initiatives.
• FINRA Report on Cybersecurity Practices (February 2015): This report presents an approach to cybersecurity grounded in risk management to address cybersecurity threats. It identifies principles and effective
FINRA Investor Alert – “Phishing” and Other Online Identity Theft Scams: Don't Take the Bait
FINRA issued this alert to warn investors that according to computer security experts, economic cyber-crime continues to surge. “Phishing” attacks—scams that use spam email or a fake website to lure an individual into revealing his or her bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information—have increased significantly since they were first discovered in 2005. FINRA issued this alert to keep investors informed about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
• FINRA Investor Alert (July 2014): “Phishing” and Other Online Identity Theft Scams: Don't Take the Bait
Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule
On April 19, 2013, the SEC and CFTC published their joint final Identity Theft Red Flags Rules and guidelines with a compliance date of November 20, 2013. The joint rules (the CFTC rule and the SEC’s Regulation S-ID: Identity Theft Red Flags) and guidelines do not contain requirements that were not already in the FTC Red Flags Rule and guidelines and do not expand the scope of that rule to include new categories of entities that the rule did not already cover. They do, however, contain examples and minor language changes designed to help guide entities within the SEC's enforcement authority in complying with the requirements, which may lead some entities that had not previously complied with the FTC Red Flags Rule to determine that they fall within the scope of the SEC and CFTC joint rules. FINRA’s Red Flags Rule Web Page includes an updated SEC Identity Theft Red Flags Rule Template that firms may opt to use to assist them in fulfilling their requirements under SEC Regulation S-ID: Identity Theft Red Flags. Regulation S-ID requires specified firms to create a written Identity Theft Prevention Program designed to identify, detect and respond to “red flags”—patterns, practices or specific activities—that could indicate identity theft. Identity theft is a fraud committed or attempted using the identifying information of another person without authority.
• FTC’s Red Flags Rule Template
Listen Now/Download | 7 min. 29 sec.
• Identity Theft Red Flags Rules (Joint Final Rules and Guidelines): (Exchange Act Release Nos. 69359, IA-3582, IC-30456 (April 10, 2013) 78 FR 23638 (April 19, 2013))
FINRA Cybersecurity Topic Page
Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA. Visit the link below for more information on related rules, notices, guidance, news and investor education
This one-hour free webinar tackles a top priority for small firms: building an effective cybersecurity program with limited resources. Panelists share best practices, with a focus on how small firms can apply the National Institute of Standards and Technology (NIST) framework. The webinar includes a discussion on the following topics.
- Overview of NIST Framework
- The role compliance should play in addressing cyber risks
- Factors for developing a cybersecurity program
- Focus of FINRA examinations
- Considerations for recognizing a cyber-attack and developing a process for response
Note: Access to webinars is limited to FINRA member firms and CRCP graduates.