As technology continues to advance and broker-dealers become increasingly more dependent on it, the topic of cybersecurity has been pushed to the forefront in the financial industry. The nature of the industry requires broker-dealers to maintain records of client sensitive information including, but not limited to the following: account numbers, social security numbers, licenses, and financial condition. If any of this information is compromised from an outside source, not only will the investor suffer but the broker-dealer may also suffer.
In 2011, FINRA conducted a survey of 224 broker-dealers to gain a better understanding of the vulnerabilities that broker-dealers face concerning their technology infrastructure. In 2014, FINRA took action again in response to the industries increased cybersecurity risks and conducted a targeted examination of broker-dealers. The four primary objectives of the 2014 examination were to better understand the types of threats that broker-dealers face; to increase its understanding of broker-dealers’ risk appetite, exposure and major areas of vulnerabilities in their information technology systems; to better understand broker-dealers’ approaches to managing these threats; and to share observations and findings with broker-dealers. In response to the data collected from the 2011 survey and 2014 examination, FINRA released a report which provides recommendations for broker-dealers to implement. The recommendations should help minimize broker-dealers’ risks to cyber threats.
The report recommended that broker-dealers take the necessary steps to establish a cybersecurity governance framework that includes defined risk management policies, processes and structures coupled with relevant controls tailored to the nature of the cybersecurity risks the broker-dealer faces and the resources the broker-dealer has available. Establishing a cybersecurity governance framework will not only alert the broker-dealer to the risks it faces but it will also give the broker-dealer an opportunity to manage risks. The framework should assign roles and responsibilities to individuals so that such persons will know who to communicate with and how to respond to cyber risks.
It’s not only important to establish a cybersecurity governance framework but broker-dealers should also conduct regular assessments to identify cybersecurity risks associated with broker-dealer assets and vendors. For broker-dealers, one of the major assets of broker-dealers are databases that store client data. It would be good practice for a broker-dealer to have a clear understanding of all parties that are given access to those databases. FINRA also recommended that broker-dealers implement a training program that has a cybersecurity component. According to FINRA, effective practices for cybersecurity training include defining cybersecurity training needs requirements; identifying appropriate cybersecurity training update cycles; delivering interactive training with audience participation to increase retention; and developing training around information from the broker-dealer’s loss incidents, risk assessment process and threat intelligence gathering.
In May 2016, FINRA released a Cybersecurity Checklist to assist broker-dealers in establishing a cybersecurity program that will allow them to recognize risks, manage risks, and respond to risks. The Checklist is very extensive and should be a great starting point for broker-dealers that have not addressed cybersecurity. For broker-dealers that have implemented a cybersecurity governance framework, the Cybersecurity Checklist may reveal areas that they have not addressed. The checklist is broken down into twelve sections.
The twelve sections are as follows:
- Section 1-Identify and Assess Risks: Inventory
- Section 2-Identify and Assess Risks: Minimize Use
- Section 3-Identify and Assess Risks: Third Party
- Section 4-Protect: Information Assets
- Section 5-Protect: System Assets
- Section 6-Protect: Encryption
- Section 7-Protect: Employee Devices
- Section 8-Protect: Controls and Staff Training
- Section 9-Detect: Penetration Testing
- Section 10-Detect: Intrusion
- Section 11-Response Plan
- Section 12-Recovery
The questions posed within each section really forces a broker-dealer to think about the steps it has taken to protect itself. For instance, in Section 4-Protect: Information Assets, the checklist asks whether the broker-dealer has password protection, malware/anti-virus protection, or any other protections such as firewalls. In Section 6-Protect: Encryption, the checklist questions whether data is encrypted in transit to external sources, whether data is encrypted when shared internally and at rest within the system, whether data is encrypted when archived to backup media, and whether data has been masked when displayed. Not to discount the importance of any of the sections, but a really important section that many broker-dealers may not think about is Section 7-Protect: Employee Devices. Many broker-dealers forget that their employees may access client sensitive information from their personal devices. If this is the case, it is important to ensure that their personal devices have cybersecurity protections. Section 7 questions whether the device has access to personal identifiable information and broker-dealer sensitive data, what the risk severity level is, whether the device is protected or encrypted, whether the employee has the ability to wipe the device remotely if lost, and whether only authorized persons can download software.
Although the Cybersecurity Checklist is extensive, if a broker-dealer takes the time to go through it, it may prevent the broker-dealer from experiencing a cybersecurity breach. However, it is important to note that the Cybersecurity Checklist will not be a defense for broker-dealers that violate any of the securities laws. FINRA provided the Cybersecurity Checklist just as a reference.
Click on the link to check out the complete checklist. For more on cybersecurity and the securities industry, please see our other blogs on the topic.