FINRA maintains contact information records of all Executive Representatives, Chief Compliance Officers and other individuals at firms, including contacts that are required under FINRA rules and By-Laws, and others that are voluntary on the FINRA Contact System (FCS). Historically, FINRA has used this information for regulatory communications, compliance purposes and ballots for Board and other elections, and also to communicate to specific individuals at firms about a particular topic.
In an attempt to further align the FCS with the operations of its member firms, FINRA has added a new voluntary role, to wit, the Chief Information Security Officer (CISO). This role is defined as the person at your firm responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected, or the person closest to that role.
The rules set forth by FINRA regarding the CISO role are as follows:
- It is not a required role;
- It does not require that the contact be registered or hold a principal designation with the firm;
- A firm can only have one contact listed; and
- The role is not included in the Annual Review.
While FINRA has stated that the voluntary role is not included in the annual review, it should be noted that member firms are clearly responsible for establishing and maintaining procedures and processes to ensure information assets and technologies are adequately protected. Additionally, since the CISO is not required to a qualified principal, responsibility for their functions appear to still remain with other principals.
For more information about the role of the CISO and adding a CISO to the FCS, visit FINRA’s website.