FINRA’s Cybersecurity Best Practices

FINRA and cybersecurity are very closely related – the more secure your financial firm is, the more likely you’re fully compliant. Check out the latest recommendations from FINRA on improving your firm’s security

The Financial Industry Regulatory Authority (FINRA), is a private self-regulatory organization that regulates certain aspects of the securities industry and is the successor to the National Association of Securities Dealers, or NASD.

As the non-governmental organization that regulates member financial firms and exchange markets, FINRA is responsible for ensuring customer data is kept secure and available. Failure to comply with their regulations that uphold these standards can be met with serious fines.

That said, it’s not like they’re unwilling to help you out – in fact, in their Report on Selected Cybersecurity Practices – 2018, FINRA tells you exactly how to improve your cybersecurity right now.

What does FINRA Have To Do With Cybersecurity?

Given the ever-evolving range of cybercrime dangers that threaten firms that FINRA monitors — those that are CFTC, SEC OCIE & NYS DFS regulated — it has quickly become evident that cybersecurity can’t be ignored.

To meet FINRA & SEC regulations, you must first understand what they require of investment firms and financial services organizations like yours. You must realize what’s classified as a violation of FINRA & SEC regulations, and make sure you put solutions in place to mitigate the risks of noncompliance.

However, knowing and understanding these regulations isn’t enough – you have to be able to meet the standards in place as well. Financial services and technology are truly inseparable. You depend on technology to help you communicate with clients and partners, streamline processes and procedures, and work efficiently while meeting the needs of those you serve.

FINRA takes into account how capable a firm is of protecting the confidentiality, integrity, and availability of sensitive customer information.

That means determining how well firms meet the following SEC regulations:

  • Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
  • Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
  • The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

5 Cybersecurity Best Practices Recommended By FINRA

1. Branch Controls

No matter how robust your headquarters’ cybersecurity measures are, it’s not a guarantee that those controls extend to your branches. It’s more than likely that, as you may have left cybersecurity and FINRA compliance to each branch to maintain independently, they may have missed the mark on a few considerations.

That’s why developing Written Supervisory Procedures (WSPs) can be so worthwhile. This type of documentation can dictate exactly how branches are to maintain cybersecurity, based on proven and accepted best practices and standards. This could include:

    1. Mandatory security controls
    2. Notifications concerning issues and breaches
    3. Accepted security settings and vendors
    4. Assignment of duties and responsibilities pertaining to cybersecurity controls
    5. Training curriculum and testing protocols

You should also make sure an inventory of cybersecurity assets (hardware and software) is made, detailing the state and expected lifetime of such assets so that they can be maintained, updated and replaced as need be.

With these baselines for practices and assets developed, it is recommended that you implement a branch review program which will double-check whether your branches are maintaining cybersecurity standards.

2. Phishing

Phishing is a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.

Phishing attacks are mass emails that request confidential information or credentials under pretenses, link to malicious websites or include malware as an attachment.

With only a surprisingly small amount of information, cybercriminals can convincingly pose as business members and superiors in order to persuade employees to give them money, data or crucial information.

Do your employees have the knowledge they need to spot phishing emails?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

  • How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
  • How to use business technology without exposing data and other assets to external threats by accident.
  • How to respond when you suspect that an attack is occurring or has occurred.

3. Insider Threats

Your own staff members, whether maliciously or by accident, can have a major effect on your cybersecurity as well. There are a number of factors that contribute to the frequency, damage, and potential of malicious insider threats, but the three key aspects are:

    1. Depending on how duties are assigned, what form of supervision is present, and how often employee (or even ex-employee) work is audited, the damage they cause can take a long time to discover. Often, the longer it has been, the harder the damage is to reverse.
    2. Once discovered, the response can be difficult to execute. The employee in question can often easily claim it as a mistake, or (and again, depending on the division of labor and supervision) can even appear to be doing their job as usual if they’re considered the “expert” in that work.
    3. In any case, poor management policies usually leave the door open for disgruntled employees to do damage. Low-level staffers given admin access, third-party vendors provided with authority for data they don’t actually need, and login credentials for recently terminated staff members are all common and dangerous occurrences.

The fact is that misuse of privilege is often one of the most common ways for cybercriminals to penetrate a network. Either by tricking a user with administrative privileges to download and run malware or by elevating privileges on a compromised non-admin account, hackers regularly make use of this highly common unsafe business practice.

You need to have a carefully implemented process to track the lifecycle of accounts on your network.

  • Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
  • Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
  • Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity

4. Penetration Testing

The penetration test is an authorized attack on your organization’s technology and staff and is one of the best ways to accurately evaluate your security controls. This allows you to double-check each and every aspect of your cybersecurity posture.

FINRA recommends running penetration tests both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.

5. Mobile Devices

Having your staff use their own personal devices for work means that you don’t have to pay for the technology they’d be using otherwise. Depending on the size of your practice, that could mean potential savings of thousands of dollars that would have been necessary to pay for tablets and work phones.

No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.

This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.

Set a policy for when and how mobile devices will be used. Integrated into your internal network, these devices can be used to access, store, transmit, and receive business data.

You’ll need to have policies in place to regulate how employees use their devices to interact with sensitive data. Take the time to consider the risks associated with mobile device use, such as the potential for devices containing business data to be lost or stolen, infected with malware, or the potential for accidental disclosure of confidential information through sharing a device with a family member or connecting to an unsecured wireless network.

You also need to consider how mobile device use can pose risks to your data. A risk analysis will help you identify vulnerabilities in your security infrastructure, and help you determine the safeguards, policies, and procedures you’ll need to have in place.

Whether the devices in question are personal devices or provided by your Fort Lauderdale IT company, you will still need to have a clear idea of how they’re being used to communicate with your internal network and systems.

Assessments should be conducted periodically, especially after a new device is granted access, a device is lost or stolen, or a security breach is suspected.

Lastly, make sure you develop, document, and implement mobile device usage policies and procedures. Policies that are designed for mobile devices will help you manage risks and vulnerabilities specific to these devices.

These policies should include processes for identifying all devices being used to access business data, routinely checking that all devices have the correct security and configuration settings in place, whether or not staff can use mobile devices to access internal systems, whether staff can take work devices home with them, and how you will go about deactivating or revoking the access of staff members who are no longer employed.

Regardless of what type of cybersecurity solutions you put into place, they should be optimized for future technologies and content types. They also should be easy to update and scalable. Static or multiple standalone options that only target individual needs or requirements won’t be enough.