Cybersecurity programs remain a significant priority for financial services industry regulators, including the SEC, FINRA, and state securities regulatory agencies. As mentioned in FINRA’s 2018 Annual Regulatory and Examination Priorities Letter, member firms need to have cybersecurity programs in place and such programs must capable of protecting sensitive information, including personally identifiable information of clients, from both internal and external threats. Over the past couple of years, awareness of cybersecurity risk has increased dramatically. However, as awareness increases, so does the sophistication of cybersecurity threats. And even a robust cybersecurity program can be compromised by something as simple as an employee opening an email attachment that contains malware. So, what can a firm do to combat phishing and spearphishing attacks, ransomware attacks, fraudulent third-party wires, etc.?
FINRA has identified certain areas where firms can generally improve their cybersecurity programs.
1) Access Management
Firms must address basic access management issues, such as terminating departing employees’ access to firm systems in a timely manner. Privileged system users must be monitored; firms must implement procedures to log, monitor, and supervise their activities to detect anomalies (users assigning themselves extra access rights, performing un-authorized work during off-hours, logging in from multiple geographic locations concurrently, etc.).
2) Risk Assessments
Firms must be able to effectively identify their critical assets and potential risks to those assets. Firms must also have formal processes to conduct ongoing risk assessments of their data, systems, and applications.
3) Vendor Management
Firms must have formal processes to review a prospective vendor’s cybersecurity preparedness or to ensure new vendors have appropriate protections in place. Contracts with vendors must address key areas such as the vendor’s responsibilities regarding notifying the firm in the event of a breach of customer or firm data. If a firm contracts with a parent organization for cybersecurity services, the parent organization’s cybersecurity responsibilities must be properly and sufficiently documented.
4) Branch Offices
Firms must ensure that cybersecurity procedures are implemented and enforced across branch offices with the same diligence as at the firm’s main office. Branch offices must be able to follow cybersecurity measures such as managing passwords, implementing patches and software updates, updating anti-virus software, controlling removable storage devices, encrypting data, and reporting incidents.
5) Segregation of Duties
Firms must segregate the responsibilities for requesting, implementing, and approving cybersecurity rules and system changes. For example: application developers should not be allowed to access sensitive data in production systems or implement application code into production without appropriate oversight; network engineers should not perform cybersecurity or information security functions without appropriate oversight.
6) Data Loss Prevention
Firms should make sure they have implemented data loss prevention tools, and that they have ensured the strength of those implementations, including: rules that prevent transmission of Social Security Numbers and customer account numbers; rules to flag or block large file transfers to outside, untrusted recipients; and formal change-management processes for data loss prevention system rule changes.
7) Staff Training
Firms must ensure that their staff are trained on the cybersecurity measures and protocol that have been implemented and how to use them appropriately, what requirements need to be followed, what to be on the look out for and who to report issues to. A firm’s biggest security vulnerability is its own people. Having programs in place without training does not do the firm, its employees and representatives or its clients any good.