FINRA Identifies Specific Areas In Which Investment Firms Can Improve Cybersecurity Programs
In December 2017, the Financial Industry Regulatory Authority ("FINRA") released a report (available here) identifying and discussing observations from recent examinations of broker-dealer members—including observations related to cybersecurity.[1] FINRA recognizes that "[c]ybersecurity is one of the principal operational risks facing broker-dealers." The most common threats FINRA observed in 2016 and 2017 included phishing and spearphishing attacks,[2] ransomware attacks, and fraudulent third-party wires involving email or stolen customer or financial advisor credentials.
Even though members have significantly increased their focus on cybersecurity challenges over the past couple years, the nature and sophistication of cyber-attacks and threats continue to evolve and impose considerable risk of compromise to even the most advanced and robust cybersecurity programs. The following is a summary of FINRA's observations on 6 specific areas where some firms could improve their cybersecurity programs:
- System Access Management – addressing basic system access management issues, such as timely terminating departing employees' access to firm systems and implementing procedures to log, monitor, and supervise privileged systems users' activities to detect anomalies or unauthorized actions.
- Risk Assessments – creating and implementing formal processes/procedures related to performing ongoing risk assessments of data, systems, and applications. Firms should be able to effectively identify critical assets and potential risks to such.
- Vendor Management – creating and implementing formal processes/procedures related to vendor management and reviewing the appropriateness and preparedness of a prospective or new vendor's protections regarding data breaches or cybersecurity events.
- Firms' Branch Offices – addressing challenges in managing passwords, implementing patches and software updates, updating antivirus software, controlling removable storage devices, encrypting data, and reporting incidents.
- Segregation of Duties – segregating the responsibilities for requesting, implementing, and approving cybersecurity rules and systems changes.
- Data Loss Prevention – broadening rules that prevent transmission of Social Security numbers to include other additional sensitive data (e.g., customer account numbers), establish thresholds to flag or block large file transfers to untrusted recipients, and implement formal change-management processes for data loss prevention system rule changes.
Importantly, FINRA expressly states that the Report "does not represent a complete inventory of observations about the industry as a whole, does not imply that any issues discussed exist at any particular firms, and should not be read as creating new legal or regulatory requirements or new interpretations of existing requirements." Indeed, "[a]n individual firm may not have any deficiencies in the risk areas identified in the Report."
Although not required, these observations and suggestions are prudent and certainly worthy of consideration by organizations of all sizes. As cybersecurity related issues continue to arise, FINRA members (and those in other industries) need to actively and continuously fine-tune and adjust their written policies and procedures for protecting sensitive information.
The attorneys in the Data Breach and Privacy Practice Group of Kane Russell Coleman Logan advise on privacy, data breach, and cyber security and liability issues. We provide consultations on cyber security policies and procedures, analyze insurance policies for coverage in the event of a data breach (pre- and post-breach), and provide rapid response in the event of a cyber-attack, including a hack, phishing scheme, malware, ransomware, and any other type of cyber-attack that may occur. Please contact any member of our firm’s Data Breach and Privacy Practice Group for more information.
[1] FINRA routinely examines broker-dealers and addresses certain aspects of the firm's compliance with securities rules and regulations. The Report's observations may be useful to firms in tailoring their compliance and supervisory programs.
[2] "Spearphishing" is an email attack that typically targets an individual or set of individuals with emails that appear to be from an entity or person known to the target.