FINRA Releases Video Series on Cybersecurity Pitfalls
In a three part video series, FINRA provides guidance on common deficiencies recently identified during its cybersecurity examinations of member firms. These failings include branch controls, data protection and password security and act as a checklist for broker-dealers to ensure their cybersecurity protocols are up to snuff with the latest industry best practices.
Although cybersecurity is among FINRA’s top concerns, the self-regulator doesn’t actually have its own set of rules. FINRA does however look at and examine cybersecurity programs for the purpose of identifying issues, concerns or violations related to a lack of framework. Among these areas, the following cybersecurity threats remain some of the most significant risks for firms today.
In the video series, FINRA states that the compliance departments doing the best job of protecting their firms are those that have the involvement from the top of their organization. FINRA also recommends that firms appoint one person responsible for organizing the entire firm’s program. That person, FINRA advises, should then open a continuous dialogue with senior management on the issues he/she is seeing and what resources are needed to successfully combat potential risks.
A big issue for firms, especially those that work off of an independent contractor model, is weaker cybersecurity controls then those being utilized at the firm’s home office. According to FINRA, these problems relate to the branch’s use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection and the physical security of assets and data. When new branches come on, FINRA recommends implementing annual training that addresses potential risks and how to protect sensitive information.
Access issues arise with respect to both firm representatives and outsiders such as vendors. For example, in the video series, FINRA recommends that access be limited to representatives within the firm to an as-needed basis. In what FINRA addresses as a common pitfall, firms must have a process in place for how people are granted access to data and how it is restricted when that individual is promoted to a different role or is no longer with the company.
Before even signing on with a vendor, FINRA suggests verifying what controls they have in place to manage your data and who exactly will have access to that data. This review needs to take place on an annual basis to ensure their controls are doing exactly what they say they are doing. It’s equally important to know what they intend to do with your data if you decide to transition that compliance task to another vendor.
A huge part of protecting your data is knowing exactly where it is (whether inside or outside the organization). In the video series, FINRA discusses the importance of encrypting data whether it’s in transit, such as between the home office and a branch, or when it’s at rest within your firm’s four walls. Additionally, FINRA likes to see policies and procedures surrounding removable media, such as CDs or jump drives.
As for access to firm data and systems from outside the firm’s network, FINRA feels strongly that reliance on usernames and passwords is not sufficient. Instead, firms should require multi-factor authentication for access to firm systems from outside the organization. As for the passwords themselves, FINRA believes it is important that passwords be long (eight or more characters) and complex (with a combination of special characters), and that the firm require passwords to be changed periodically.
In addition to this video series, just last week the SEC’s Office of Compliance Inspections and Examinations released a risk alert on firm’s cybersecurity preparedness. These resources provide firms with a healthy reminder of some key issues and recommended best practices. Firms with a less robust cybersecurity program would be well advised to pay close attention to these materials to help correct weak spots in their programs, and ultimately, better protect their clients’ assets.
To browse our diverse course catalog for cybersecurity training options, click here.
To schedule a demonstration of our compliance management system, click here.