Bates News, Bates Research | 01-17-19
New FINRA Report Details Effective Practices for Broker-Dealer Cybersecurity Compliance
Right before the new year, FINRA published a report on specific cybersecurity compliance concerns raised in recent broker-dealer examinations. The report provides important guidance for broker-dealers to ensure that their compliance programs adequately address particular risks. Specifically, FINRA highlights best practices among firms on (i) branch office controls; (ii) limiting phishing attacks; (iii) mitigating insider threats; (iv) testing compliance networks for security weakness; and (v) controlling risks related to mobile devices. In this article, Bates reviews these elements and what they may mean for your compliance program.
FINRA expressed concerns over branch office cybersecurity compliance, stemming in part from the autonomy given to branch offices. FINRA observed that such autonomy inhibits the ability of a home office to maintain supervisory control and consistency across a firm. Among others, FINRA cites examples of branches that hire non-approved vendors, purchase assets (such as software) that may not be compatible firm-wide, that fail to follow cybersecurity protocol, and that allow representatives to work from home without adequate technological cybersecurity support.
FINRA’s primary recommendation is for firms to evaluate whether they need to enhance their branch cybersecurity to protect customer information. Categorically, FINRA says firms should strengthen (and organize) comprehensive written supervisory procedures (WSPs) in order to better define minimum branch cybersecurity controls. This includes, for example, providing branches a list of required and recommended hardware and software options and settings, and lists of approved vendors. In addition, FINRA wants firms to formalize the oversight of these offices by designating a branch office cybersecurity supervisor. Second, firms should develop an inventory of branch-level assets, including data, software and hardware. Such an inventory would serve to help evaluate vulnerabilities to potential attack, and to direct appropriate policy, technical and physical controls to mitigate those risks. Third, firms should maintain branch technical controls, particularly concerning identity and access management protocols for registered representatives. Finally, firms should implement robust review programs in order to “ensure that branches are consistently applying cybersecurity controls across a firm’s branch network.”
FINRA observed that firms are aware of the threat posed by phishing attacks, including both general emails and sophisticated and targeted attacks (aka “spear fishing” or “whale fishing”), but could do more to mitigate the risks. Given the danger that victims may release confidential or personal information, respond with unauthorized wire transfers, or infect systems with malware, ransomware or other viruses, FINRA advises creating or upgrading anti-phishing policies. Among many suggestions, FINRA wants firms to better train and alert system users in how to identify phishing emails, not to open attachments in suspicious emails, and to notify IT administrators and compliance staff of any incidents. Perhaps most importantly, FINRA wants customer-facing employees who have access to valuable personal and financial information, to confirm wire transfers with customers, and to ensure resolution and remediation after an attack.
Recognizing that insiders are “in a unique position to cause significant harm to an organization,” and that “the vast majority (95-99 percent) of higher revenue firms and 66 percent of mid-level revenue firms” said they address insider threats in their programs, FINRA outlined best practices for managing the exposure potentially created by insiders. These include significant attention to access policies and practices for executive leadership and management, heightened technical controls for individuals with privileged access, technical controls and data loss prevention (DLP) tools, training for all insiders, and measures to identify potentially abnormal user behavior in the firm’s network. FINRA also highlighted firms that cultivated a culture of compliance that encourages suspicious activity reporting and the regular review of higher-risk individuals, “especially in environments where it is difficult to maintain segregation of duties.”
FINRA highlights the importance of penetration testing as part of a broker-dealer’s cybersecurity programs. These tests serve to analyze a firm’s network and applications for vulnerabilities and technical gaps. FINRA notes that “100 percent of higher revenue firms include penetration testing as a component in their overall cybersecurity program,” but recognizes that penetration tests “are highly relevant to firms that provide online access to customer accounts.” That said, it is clear that the ability to identify, assess, classify risk and mitigate any security issues through this process is what FINRA wants to see for all firms. To that end, FINRA suggests that firms (i) adopt a risk-based approach to penetration testing; (ii) perform due diligence in the selection of vendors; (iii) establish contracts that prescribe vendor responsibilities; (iv) manage and follow up on test results; and (v) rotate testing providers “to benefit from a range of skills and expertise.”
In the report, FINRA addressed the risk of attacks on sensitive customer and firm data through the use of smart phones, tablets and laptops. FINRA noted the particular risk to retail investors who are performing a greater variety of transactions on mobile devices, including trading, money transfers and account monitoring. Here too, FINRA recommends developing a host of policies and procedures to address the protection of customer information and circumscribe the use of personal devices by employees for business without firm approval. FINRA referenced a number of requirements to improve security, including the implementation of password standards, authentications methods, and the installation of security software for mobile devices that are used for firm business. In addition, FINRA noted certain practices firms were using proactively, including the monitoring of the marketplace for malicious applications (in particular ones that can impersonate a firm’s mobile application) and greater communication with the firm’s customers on how they might mitigate risks on their own devices.
In the new report, FINRA makes clear that its current focus on specific technology risks should be considered in the “context of a holistic firm-level cybersecurity program,” the elements of which are contained in FINRA’s 2015 Cybersecurity Practices. That is an important caveat and a telling example of how fluid the compliance oversight of technology risk has become. Combined with instructions for small firms to update their Cybersecurity Checklist based on the new recommendations (contained in the Appendix of the new report), and additional warnings that FINRA’s observations are “not intended to express any legal position, [nor] create any new legal requirements or change any existing regulatory obligations,” the report is a reminder that firms remain responsible for creating compliance programs that address diverse and developing risks in a dynamic environment without any real certainty that they will be enough to withstand regulatory scrutiny.
For additional information and assistance, please follow the links below to relevant Bates Group's Practice Area pages: