February 12, 2018

The Catholic University of America Columbus School of Law's Securities Law Program presented the second installment in its 2018 Securities Law Lecture Series on the evening of February 8th. The speaker, Susan F. Axelrod, is Executive Vice President of Regulatory Operations at FINRA, where she oversees the Office of Fraud Detection and Market Intelligence and Member Regulation. Axelrod was previously responsible for ongoing surveillance and examinations for FINRA-regulated securities firms as Executive Vice President and head of Member regulation-Sales Practice.

Axelrod opened her presentation entitled "Enhancing Corporate Cyber Security Compliance Programs and SEC Reporting," by describing what FINRA does. "FINRA is a self-regulatory organization that is responsible for overseeing all the broker dealers in the United States. We have examination programs, we have surveillance programs, we monitor the trading activity on the exchanges, we do reviews for things like insider trading, consumer complaints, and filings from firms."

Axelrod discussed how FINRA deals with the rules and regulations that relate to cyber security. "The goal at FINRA is investor protection and market integrity," she said. "FINRA does not have set rules or requirements regarding cyber security because the firms we regulate are so diverse. Any rule we create could be obsolete after it went through the rule making process."

Axelrod explained that FINRA covers cyber security as a topic during site examinations at each firm. Each firm needs to have a unique security plan in place. Small firms should focus on updating their anti-virus software regularly and monitoring vender or third-party access to systems, while global firms should assess if their technology governance framework is working correctly.

Axelrod also discussed that firms should carefully monitor employee behavior, be aware of potential phishing attacks, and have a plan for what to do when a system is compromised. "Look at who in your organization and has access to systems with confidential information. Firms need to assess access to these systems on an ongoing basis. Additionally, firms need to immediately shut off access to an employee who gives notice" she said.

"Cyber security is a general risk for our society. It doesn't really matter where you sit. Cyber security is the little things. It is the anti-virus software, it is turning off employee access after they leave, it is reassessing access information on a regular basis, and it is making sure attachments are encrypted."