The Financial Industry Regulatory Authority released a report on effective cybersecurity practices it observed at member firms related to branch office controls, phishing, insider threats, penetration testing and mobile devices.

For branch offices, FINRA said that effective practices it has seen to minimize cybersecurity risks include establishing written supervisory procedures defining minimum cybersecurity controls for branches and formalizing their oversight; creating an inventory of branch-level data, as well as software and hardware assets; maintaining branch technical controls including identity and access management restrictions for salespersons and other staff to limit their access to only their own customers' data; and having a “robust” cybersecurity examination program.

For phishing, FINRA observed that some firms had express policies to address phishing; implemented email scanning and filtering to monitor and block phishing and spam; utilized especially trained staff regarding phishing, and conducted regular simulated phishing email campaigns, among other effective techniques.

FINRA noted that insider threats are a particularly heinous risk “because an insider typically circumvents many firm controls and may cause material data breaches of sensitive customer and firm data.” To mitigate against such risks, FINRA observed that some firms implemented measures to identify potentially abnormal user behavior within a firm’s network and imposed an identity and access management policy as well as heightened technical controls for individuals with privileged access to continuously align access rights to specific job functions.

FINRA said that, in issuing its “Report on Selected Cybersecurity Practices – 2018,” it was not creating any new legal requirement or changing any existing regulatory obligation.

Compliance Weeds: In 2015, the Securities and Exchange Commission issued a report on its own cybersecurity observations where it said that 88 percent of all broker-dealers and 74 percent of all investment advisers reported they had previously sustained cyber-attacks directly or through one or more of their vendors. Most attacks were the result of malware and fraudulent emails. According to the SEC, 54 percent of all broker-dealers and 43 percent of advisers specifically indicated they had received fraudulent emails to transfer customer funds. Where losses were sustained, 25 percent of the broker-dealers “noted that these losses were the result of employees not following the firms’ identity authentication process.”

Regrettably, it is likely not a matter of if a cyber breach may occur, but when and how severe. Financial services firms must continue their efforts to minimize the likelihood of cybersecurity breaches through periodic risk assessments, robust policies, procedures and governance, state-of-the-art technological defenses, ongoing monitoring, and employee training. Moreover, firms should develop, implement and periodically update response plans should a cyber breach occur. Unfortunately, it will.

On January 10, 2019, Katten will be hosting a seminar in its New York City office entitled “You’ve Been Hacked” that will address practical measures to help reduce cybersecurity risks, as well as how to respond when there has been a breach. In addition to internal Katten experts, speakers will include Regina Thoele, Senior Vice President, Compliance, at the National Futures Association who will speak on NFA’s new, amended Information System Security Program requirements, and Greg Bordenkircher, Chief Litigation Counsel for the State of Alabama, who will speak on the latest cybersecurity threats. Click here for details, and to register.

(Click here for information on NFA’s amended ISSP requirement in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)