FINRA Publishes New Cybersecurity Report

FINRA recently published its Report on Selected Cybersecurity Practices – 2018, a detailed review of effective information-security controls at securities firms. The report represents the newest initiative in FINRA’s ongoing effort to help broker-dealers – including small firms – further develop their cybersecurity programs.

Back in 2015, FINRA released its Report on Cybersecurity Practices that drew in large part from the results of a targeted examination (“sweep”) of firms. While the 2018 report covers a lot of the same overarching principles, it also adds greater depth and detail. For example, the section on branch controls lists more than three dozen specific, effective practices across written supervisory procedures, asset inventories, technical controls and branch review programs. It also includes an appendix covering core cybersecurity controls for small firms, which, in addition to the “Small Firm Cybersecurity Checklist,” can help smaller businesses identify possible cybersecurity controls.

The report covers the following five areas of cybersecurity best practices:

Branch Locations

FINRA has observed that some firms face challenges maintaining effective cybersecurity controls at their branch locations. Branches’ autonomy from the home office may adversely affect firms’ ability to implement a consistent firm-wide cybersecurity program. Some firms may experience increased challenges if their branches may, for example, purchase their own assets, use non-approved vendors or not follow their firms’ software patching and upgrade protocols.

FINRA has observed firms implementing the following effective practices:

1.) Establishing Written Supervisory Procedures (WSPs) to define minimum cybersecurity controls for branches and formalize oversight of branch offices;

2.) Developing an inventory of branch-level data, software and hardware assets;

3.) Maintaining branch technical controls; and

4.) Implementing a robust branch cybersecurity examination program.

Phishing Attacks

Social engineering or “phishing” attacks are one of the most common cybersecurity threats firms have discussed with FINRA. Phishing attacks may take a variety of forms, but all of them try to convince the recipient to provide information or take an action.

Phishing is a serious threat to firms and their customers. Victims of phishing attacks may release customer, firm, or personal information to cyber criminals; engage in unauthorized wire transfers or payments; or introduce viruses, malware, ransomware, or crimeware that destroys, shuts down, takes over or infects firm systems. Although most firms are aware of the risks posed by phishing attacks, many firms could do much more to strengthen their controls to mitigate this threat.

FINRA has observed firms implementing the following effective practices:

1.) Creating policies and procedures to specifically address phishing

2.) Including phishing scenarios in the firm-level risk assessment process;

3.) Establishing confirmation policies and procedures for transaction requests over a reasonable threshold to reduce the likelihood of successful spear phishing or whaling attacks;

4.) Implementing email scanning and filtering to monitor and block phishing and spam communication;

5.) Regularly training employees on phishing and related firm policies and procedures;

6.) Conducting regular simulated phishing email campaigns to evaluate employee understanding and compliance with the firm’s policies and procedures;

7.) Developing remedial training and imposing appropriate consequences for employees who repeatedly violate the firm’s phishing standards;

8.) And more! 

Insider Threats

Insider threats remains a critical cybersecurity risk because an insider typically circumvents many firm controls and may cause material data breaches of sensitive customer and firm data. Whether due to malicious behavior—such as a bad actor who plans to sell customer account data on the dark web—or inadvertent error—such as a registered representative who loses his or her laptop or other storage media with unencrypted customer PII—insiders are in a unique position to cause significant harm to an organization.

FINRA has observed that effective insider threat programs typically integrate the following components into an overarching, risk-based insider threat program:

1.) Executive leadership and management support;

2.) Identity and access management policy and technical controls, including heightened controls, for individuals with privileged access;

3.) Technical controls including security information and event management (SIEM) and data loss prevention (DLP) tools, as appropriate for the scale and technological sophistication of the firm;

4.) Training for all insiders; and

5.) Measures to identify potentially abnormal user behavior in the firm’s network.

Penetration Testing

Penetration testing (or a pen test) is an important element in many firms’ cybersecurity programs. A pen test simulates an attack on a firm’s internally or externally-facing computer network to determine the degree to which malicious actors may be able to exploit vulnerabilities in the network and evaluate the effectiveness of the firm’s protective measures.

For example, one particular type of pen test focuses on a firm’s web application to evaluate its security design and associated databases (e.g., a firm’s public website where employees, representatives or customers log in to access account and position data, including PII or other confidential information). The pen test process requires an active analysis of a firm’s network, applications or other targets for any weaknesses, technical flaws, gaps or vulnerabilities. Such testing often involves both automated scanning tools and manual techniques and may include social engineering.

FINRA has observed firms implementing the following effective practices:

1.) Adopting a risk-based approach to penetration testing;

2.) Thoroughly vetting their testing providers;

3.) Establishing contractual provisions that carefully prescribe vendor responsibilities;

4.) Rigorously managing and responding pen test results; and

5.) Periodically rotating testing providers to benefit from a range of skills and expertise.

Mobile Devices

The widespread and expanding use of mobile devices creates new opportunities for attacks on sensitive customer and firm data. Employees, customers, consultants and contractors may regularly use smartphones, tablets, laptops and other devices for a variety of activities, including communication, trading, receiving investment alerts, money transfers and account monitoring.

As the industry becomes more reliant on mobile devices, risks associated with this technology continue to increase. Firm and personal mobile devices are exposed to risks including, but not limited to, malicious advertisements and spam communication; infected, cloned or pirated mobile applications; vulnerabilities in mobile operating systems; and phishing, spoofing or rerouting of calls, emails and text messages.

FINRA has observed firms implementing the following effective practices for their employees, consultants and contractors:

1.) Developing policies and procedures addressing employee obligations to protect customer and firm information and “bring your own device” standards for the use of personal devices for firm business;

2.) Prohibiting the use of personal devices for firm business unless the devices have been approved by the firm, and the employee has signed an attestation agreeing to comply with the firm’s policies and procedures;

3.) Including reviews of mobile device security controls in branch office audits and inspections, including for remote employees and branch office staff;

4.) Ensuring that firm compliance and technology support staff have sufficient expertise in mobile cybersecurity issues;

5.) Providing regular training to all firm employees, consultants and contractors on firm mobile device requirements and effective practices to protect mobile devices;

6.) Maintaining an inventory of all personal and firm devices used to access firm systems and data;

7.) Requiring all personal devices to maintain a separate, secure, encrypted mobile device management (MDM) application for all firm activities;

8.) And more!