In December 2017, the Financial Industry Regulatory Authority (“FINRA”) released a report (available here) identifying and discussing observations from recent examinations of broker-dealer members—including observations related to cybersecurity. FINRA recognizes that “[c]ybersecurity is one of the principal operational risks facing broker-dealers.” The most common threats FINRA observed in 2016 and 2017 included phishing and spearphishing attacks, ransomware attacks, and fraudulent third-party wires involving email or stolen customer or financial advisor credentials.
Even though members have significantly increased their focus on cybersecurity challenges over the past couple years, the nature and sophistication of cyber-attacks and threats continue to evolve and impose considerable risk of compromise to even the most advanced and robust cybersecurity programs. The following is a summary of FINRA’s observations on 6 specific areas where some firms could improve their cybersecurity programs:
- System Access Management – addressing basic system access management issues, such as timely terminating departing employees’ access to firm systems and implementing procedures to log, monitor, and supervise privileged systems users’ activities to detect anomalies or unauthorized actions.
- Risk Assessments – creating and implementing formal processes/procedures related to performing ongoing risk assessments of data, systems, and applications. Firms should be able to effectively identify critical assets and potential risks to such.
- Vendor Management – creating and implementing formal processes/procedures related to vendor management and reviewing the appropriateness and preparedness of a prospective or new vendor’s protections regarding data breaches or cybersecurity events.
- Firms’ Branch Offices – addressing challenges in managing passwords, implementing patches and software updates, updating antivirus software, controlling removable storage devices, encrypting data, and reporting incidents.
- Segregation of Duties – segregating the responsibilities for requesting, implementing, and approving cybersecurity rules and systems changes.
- Data Loss Prevention – broadening rules that prevent transmission of Social Security numbers to include other additional sensitive data (e.g., customer account numbers), establish thresholds to flag or block large file transfers to untrusted recipients, and implement formal change-management processes for data loss prevention system rule changes.
Importantly, FINRA expressly states that the Report “does not represent a complete inventory of observations about the industry as a whole, does not imply that any issues discussed exist at any particular firms, and should not be read as creating new legal or regulatory requirements or new interpretations of existing requirements.” Indeed, “[a]n individual firm may not have any deficiencies in the risk areas identified in the Report.”
Although not required, these observations and suggestions are prudent and certainly worthy of consideration by organizations of all sizes. As cybersecurity related issues continue to arise, FINRA members (and those in other industries) need to actively and continuously fine-tune and adjust their written policies and procedures for protecting sensitive information.