Twenty years ago, when all of us worked in the office, the IT department was able to manage a broker dealer’s cyber security fairly well. All of the computers worked off of a main network where various firewalls and malware protection could be maintained on a regular basis. Then comes COVID and all personnel began to work remotely. Post COVID, much of the broker dealer workforce still works remotely. It has become the new normal. How can your broker dealer’s IT department and/or vendor make sure that everyone’s computer equipment is up to date with the strongest and most current protection when employees are scattered across the country? To this end, the Financial Industry Regulatory Authority (FINRA) has some requirements and best practices that your broker dealer can put in place.
FINRA Regulatory Notice 10-59 sets the standard that every computer equipment device within the broker dealer has at least 256 bit or higher encryption. This type of encryption is widely available through third party vendors at responsible costs. Once the broker dealer has this in place, all employees of the firm need to be trained on the best practices of encryption and how to best protect the broker dealers’ client’s from being stolen. Phishing, malicious malware, and unauthorized emails are just a few ways that thieves can collect client’s personal and non-public information.
Several encryption best practices are listed below:
- All confidential non-public information must always be encrypted.
- Train all employees on what not to do:
- Do not respond to any email with confidential information.
- Do not respond to any email that looks unfamiliar.
- Do not click on any suspicious links.
- Ensure that strong passwords are used on all software products and the device being used (ie: computer, laptop).
- If multifactor authentication (MAF) is available, use it.
- Do not use public devices and/or public and unsecured wi-fi.
It is of the upmost importance that your broker dealer create cybersecurity policies and procedures to ensure it is doing its best to protect the client. During a FINRA audit, they will ask for these policies and procedures and how the broker dealer is enforcing them. Several observations made during FINRA exams include (but are not limited to):
- Ensuring that all confidential data has been encrypted.
- Confirming that the broker dealer has branch level cybersecurity policies in place for every piece of equipment and that a current asset list is maintained. This includes software and hardware.
- Evidence of comprehensive training to all employees, registered representatives, and third parties who have access to confidential information.
- Maintaining proper supervision of all modifications of software and hardware within the broker dealer. This includes upgrades, vendor changes, and/or various integrations.
If your broker dealer needs cybersecurity consulting, please contact SCM here to set up a meeting.