FIF

FINANCIAL INFORMATION FORUM

11 Hanover Square

New York, New York 10005

⎯⎯⎯⎯⎯

212-422-8568

April 25, 2019

Ms. Jennifer Piorko Mitchell

Office of the Corporate Secretary

Financial Industry Regulatory Authority

1735 K Street NW

Washington, DC 20006-1506

Re: FINRA Regulatory Notice 19-06 – Retrospective Review of FINRA Rule 4370

Dear Ms. Mitchell,

The Financial Information Forum (“FIF”)

appreciates the opportunity to comment on the Financial

Industry Regulatory Authority’s (“FINRA”) notice soliciting comments on FINRA’s retrospective rule

review of FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information). FIF member

firms support FINRA’s continued review and solicitation of industry comment on the effectiveness of

past rulemaking. FIF believes that due to significant changes in technology, the industry’s reliance on

vendor BCP tools, and the risk/threat landscape (i.e. technology, natural disaster, etc.) that could

potentially trigger a BCP event since FINRA Rule 4370 was originally codified in 2004, retrospective rule

review is appropriate.

FIF member firms believe that FINRA Rule 4370 affords the industry with the necessary framework in

which to develop Business Continuity Plans (“BCP”) as well as the flexibility to implement those

procedures based upon a firm’s specific needs. Therefore, FIF’s comments focus not upon proposed

fundamental changes to the rule, but rather upon recommendations designed to increase the breadth

and scope of current guidance and educational opportunities available to industry member firms to

more effectively plan for and respond to BCP events. FIF believes that due the potential systemic risk of

industry members not possessing adequate BCP procedures following a significant business disruption,

firms must continually reassess, revise, and test their BCP plans. As such, FIF encourages FINRA to

develop supplemental FAQs and additional educational opportunities (i.e. webinars, conferences,

industry best practice guides) that the industry can leverage to support firms’ access to, assessment.

and implementation of industry best practices, tools, and technology.

Effectiveness of Rule 4370

Since the original codification of NASD Rules 3510 and 3520 in 2004 (recodified as FINRA Rule 4370 in

2009), industry members have benefitted from the flexibility afforded to firms in constructing

reasonable BCP procedures based upon a firm’s size, complexity, and resources. FIF emphasizes that

any subsequent change to FINRA Rule 4370 following the retrospective rule review period must

FIF (www.fif.com) was formed in 1996 to provide a centralized source of information on the implementation issues that

impact the securities industry across the order lifecycle. Our participants include trading and back office service bureaus,

broker-dealers, market data vendors and exchanges. Through topic-oriented working groups, FIF participants focus on critical

issues and productive solutions to technology developments, regulatory initiatives, and other industry changes.

Financial Information Forum 2

continue to allow firms significant leeway to develop BCP response plans based upon a firm’s business

profile. Notably, upon review of FINRA Rule 4370, FIF member firms have noted that the flexibility of the

current rule has allowed both the industry and FINRA to develop and adjust BCP plans based upon

changes in the threat landscape, the advent of new technology, and change in the size and scope of a

particular business. Additionally, FIF believes that an overly prescriptive rule governing BCP

responsibilities will result in the inability of both FINRA and the industry to learn from and leverage the

experience of similarly situated businesses in augmenting and improving BCP response plans.

Therefore, FIF believes that the flexibility embedded in FINRA Rule 4370 should remain.

Additional Guidance

FIF encourages FINRA to provide industry members with additional guidance in the form of FAQs,

webinars, and best practice guides that can be leveraged to improve existing BCP response plans. As

noted above, the threat landscape has evolved significantly in recent years. Malicious 3

parties

continue to develop and improve upon strategies designed to disrupt business operations, natural

disasters have grown more ubiquitous (i.e. Hurricane Sandy), and technical/systems outages remain a

threat to business activity. To better inform industry members as to how to best prevent against the

disruption of business activity due to a BCP event, FIF recommends the following:

• FAQs – FIF recommends that FINRA issue additional FAQs designed to leverage and

communicate to the industry the best practices FINRA has gathered as a result of BCP plan

assessments. FIF continues to believe that firms should have access to and benefit from the

collective experience and knowledge of their industry peers in formulating their own BCP

response plans. Complete and robust FAQs that provide industry members with additional

guidance on best practices including but not limited to 1) data protection and failover testing; 2)

internal and external communication between employees, counterparties, vendors, and

government officials/regulators during a BCP event; 3) interfirm employee education; and 4)

assessment of mission critical systems. Should additional FAQs be published, FIF encourages

FINRA to engage in industry outreach sessions to better educate firms as to how to best

implement industry best practices at their firms. FIF believes that the availability of FAQs that

incorporate best practice recommendations gathered by FINRA during years of exams will allow

firms to implement a more mature, efficient, and effective BCP response plan. Specifically, FIF

recommends that FINRA should consider updating the following guidance:

o Regulatory Notice 13-25: Should FINRA elect to provide industry members with

additional FAQs, FIF recommends that FINRA consider updating FINRA Regulatory Notice

13-25 issued in response to Hurricane Sandy. FIF believes that since the threat

landscape has shifted significantly during intervening six years following the publication

of Regulatory Notice 13-25, Regulatory Notice 13-25 should be updated to include

greater detail, especially with respect to cybersecurity. Additionally, FIF recommends

that any updates supplementing the guidance provided within Regulatory Notice 13-25

should be harmonized with any subsequent guidance issued by the Securities and

Exchange Commission (“SEC”) and the Commodity Futures Trading Commission

(“CFTC”);

o Small Firm Business Continuity Plan Template: FIF recommends that FINRA consider the

review of and providing updates to the Small Firm Business Continuity Plan Template,

last updated in May of 2010. Given the significant changes in the threat landscape and

potential mechanisms available to firms to better protect against BCP events, FIF

believes that more modernized recommendations should be considered for

Financial Information Forum 3

incorporation into the template;

• Public Outreach - FIF encourages FINRA to increase the availability of industry-wide educational

opportunities that can be leveraged to refine and improve upon existing BCP procedures. As

stated above, FIF believes that FINRA is in a unique position to gather, analyze, and

communicate best practice recommendations from years of experience assessing countless

industry member BCP plans. FIF believes that FINRA should consider “tailoring”

webinars/conferences to particular types of businesses (i.e. large firms, small firms, etc.) to

better allow firms access to best practices from firms of similar resources.

• Best Practice Documentation – In addition to the publication of additional FAQs, FIF

recommends that FINRA make available best practice “guides” tailored to specific business

profiles. Due to the wide breadth of resources available firms, a “one size fits all” guide may be

challenging for firms to appropriate implement. FIF recommends that several best practices

guides based upon firm size and business activity be made available to allow firms greater

insight into possible routes they can take to best protect themselves and their clients from a

significant disruption in business activity;

• Leveraging Industry Expertise – FIF recommends that as FINRA considers the development and

publication of additional guidance to support the industry’s continued refinement and

implementation of BCP procedures, FINRA should continue to engage with industry experts to

better incorporate industry best practices. FIF believes that the industry’s collective experience

with the development and implementation of BCP procedures should be assessed, consolidated,

and made available to the wider industry to better facilitate a broader understanding of and

application of industry-wide best practices. FIF offers to work with FINRA and industry

participants to facilitate broader dialogue with industry stakeholders.

Conclusion

FIF appreciates the opportunity to comment on Regulatory Notice 19-06 – Retrospective Rule Review of

FINRA Rule 4370. While FIF believes that the current rule affords industry members with sufficient

autonomy to implement BCP procedures in a manner that best comports with a firm’s particular

business profile, FIF emphasizes that additional, more modern guidance that leverages the collective

expertise of the financial services industry will allow for a more efficient and effective implementation of

BCP procedures. Please feel free to reach out to me at 212-652-4485 to further discuss any of the

recommendations contained in this letter

Regards,

Christopher W. Bok, Esq.

Director

Financial Information Forum

CC: Ms. Jeanette Wingler, Associate General Counsel, OCG, FINRA

Financial Information Forum 4

Ms. Sarah Kwak, Assistant General Counsel, OCG, FINRA

Ms. Lori Walsh, Deputy Chief Economist, OCE, FINRA

Ms. Meghan Burns, Associate Principal Analyst, OCE, FINRA