FINRA Releases Report on Effective Industry Cybersecurity Practices

Cybersecurity is regularly identified as one of the top concerns facing the financial industry as a whole.

FINRA Releases Report on Effective Industry Cybersecurity Practices 

In response to these concerns, FINRA (Financial Industry Regulatory Authority) has generated a report (released in December 2018) to address operational risks and provide best practices for cybersecurity in light of its findings from the routine examinations of broker-dealers, and while the report is issued for broker-dealers, we believe that it also contains a lot of relevant information for investment advisers. The report summarizes the more effective practices being utilized by firms to combat ever-evolving cybersecurity threats, including:

  • Vulnerability of branch offices
  • Phishing
  • Insider threats
  • Penetration testing programs
  • Controls on mobile devices

We will provide a brief summary of each section. Further information on areas of specific interest to your firm’s unique situation can be obtained in the original report, available here

Increasing Cybersecurity at Branch Locations

Multi-branch firms face challenges in the implementation and maintenance of an integrated cybersecurity protection system due to the autonomous operation of each branch.

This satellite business structure necessitates frequent review and enhancement of cybersecurity measures to protect customer information across firms through the development of:

  • Effective written supervisory procedures (WSPs) to coordinate oversight of individual entities
  • Thorough inventory of branch-level data, software, and hardware
  • Efficient internal examination programs to detect potential weaknesses and stay ahead of potential cybersecurity threats

Extensive suggestions for the implementation of each of these measures are available in the complete report, which is available here.

Repelling Phishing Attacks

Phishing is an effort to convince the recipient of electronic communication (text, email, etc.) to take some action that grants the attackers access to sensitive information or control of internal systems, often by:

  • Requesting sensitive personally identifiable information (PII), such as Social Security numbers, usernames or passwords
  • Instructing the recipient to click on a malicious link or open an infected attachment or application
  • Directing the recipient to initiate a fraudulent wire transfer

While many firms are aware of the dangers posed by phishing attacks, FINRA provides examples of effective practices being utilized across the industry to mitigate potential damage can be found here.

Reducing Insider Threats

Whether due to malicious behavior or inadvertent error, insiders (individuals who currently have or previously had authorized access to firm systems and data) may cause harm by circumventing firm security measures, potentially leading to breaches that expose sensitive customer and firm data.

Effective, comprehensive insider threat programs typically integrate the following components:

  • Executive leadership and management support
  • Identity and access management policy and technical controls, especially for individuals with privileged access
  • Security information and event management (SIEM) and data loss prevention (DLP) tools
  • Training for all potential insiders
  • Measures that can identify potentially abnormal user behavior

Specific details for implementation of the above measures are provided in the full report, which is available here.

Penetration Testing: Assessing Your Firm’s Vulnerability

A penetration test (or pen test) is a simulated attack on a firm’s computer network conducted to identify weaknesses that could be exploited by attackers, as well as to assess the effectiveness of the system’s protective measures. Effective practices related to risk-based penetration testing include:

  • Adoption of a risk-based approach to penetration testing
  • Thoroughly vetting their testing providers
  • Developing specific contractual provisions that define vendor responsibilities
  • Strict management of and response to pen test findings
  • Rotating testing providers to apply a wider range of skills, expertise, and perspective

The relevance of penetration testing depends upon a firm’s business model and technology infrastructure (in other words, how heavily firms rely on electronic systems to manage critical client or firm data).

More information on the benefits and best practices of penetration testing can be found in the original report, which is available here.

Mitigating the Risks of Mobile Devices

The heavy utilization of mobile devices increases a firm’s vulnerability to cyberattacks by granting attackers an almost endless number of access points.

Attacks targeting mobile devices may include the following:

  • Malicious advertisements, spam, and phishing communications
  • Infected, cloned, or pirated mobile applications
  • Vulnerabilities inherently found in mobile operating systems (MOS)

Although any firm providing mobile access for employees or customers is at risk, firms with large numbers of retail customers face greater exposure and require the implementation of especially robust cybersecurity controls to protect firm and customer information.

Specific suggestions for implementing more effective controls related to mobile devices are available in the full FINRA report, which can be accessed here.

Toughening Your Firm’s Cybersecurity Program

The need for clear and effective cybersecurity measures to mitigate threats becomes more apparent each year.

The first step in prevention is a thorough internal examination of your firm’s cybersecurity policies and procedures, credentials, permissions, and training programs. The second step is to allot the necessary resources to bolster the weaker elements of your firm’s defense, protecting yourselves and your clients against cyberattack and its accompanying damages.

At Core Compliance & Legal Services, Inc., we have years of experience assisting clients in cybersecurity risk prevention measures. We’re here to help — contact us for assistance with your cybersecurity program needs.