Cybersecurity remains one of the principal operational risks facing broker-dealers and Registered Investment Advisers. Accordingly, FINRA and the SEC’s examiners expect firms to have reasonably designed cybersecurity programs and controls consistent with the firm business model and scale of operations to ensure that sensitive data, including client information, is not lost or misused, or accessed by unauthorized users.
Examiners continue to inquire into the Firm’s controls regarding firewalls, vulnerability, penetration testing, and training during office examinations.
Observations
According to FINRA’s 2021 report on FINRA’s Examination and Risk Monitoring Program, “FINRA recently observed an increased number of cybersecurity or technology-related incidents at firms including:
- system wide outages
- email and account takeovers
- fraudulent wire requests
- imposter websites; and
- ransomware.”
Effective Practices
Below are some effective processes that firms should consider implementing to protect sensitive client and firm data from unauthorized access.
- Implement a policy for access rights based on job duties and remove access when it is no longer needed, including limiting and tracking individuals with administrator access.
- Encrypt all confidential data, such as social security numbers, account profile information, account numbers, and the Firm’s confidential information.
- Require the use of Multi-Factor Authentication for all firm personnel, vendors, and contractors.
- Maintain inventory of branch-level data, software, and hardware assets.
- Implement automated monitoring programs to ensure updates are being installed promptly among all computers, servers, network routers, and software used for business.
- Implement formal policies to review prospective and existing vendors’ cybersecurity policies. For example, the Firm should have procedures that include third-party on boarding vendors, ongoing monitoring, and defining how vendors will dispose of non-public client information upon separation from service with a vendor.
- Create a formal incident response plan outlining procedures for responding to cybersecurity and information security incidents.
- Implement controls to mitigate system capacity performance and integrity issues that could undermine its ability to conduct business and operations, monitor risk, or report essential information.
- Controls in place for data destruction of computer hard drives, printers/scanner/fax hard drives, and other network hardware.
- Provide comprehensive training on cybersecurity threats, phishing, and the incident response plan to all registered and unregistered firm personnel, third-party providers, and consultants.
- Implement procedures to document, review, prioritize, test, approve, and manage hardware and software changes, as well as system capacity.
Conclusion
Collaboration across multiple departments of a firm, such as technology, risk, and compliance, will help assess key risk areas and develop procedures to identify, mitigate, and respond to cybersecurity-related incidents. Additionally, collaboration among different departments will strengthen the Firm’s policies, awareness and mitigate potential violations of protecting client and firm non-public information.
For more information:
Cybersecurity and Technology Governance | FINRA.org
OCIE Cybersecurity and Resiliency Observations.pdf
Cybersecurity | FINRA.org
MasterCompliance provides expert consulting, outsourcing, and implementation tools in planning and budgeting your Firm’s compliance responsibilities. If you need assistance with your Compliance program, contact us.