April 30, 2018
Preparing for FINRA Exams, Part 2: Cybersecurity
I hope that you have had a chance to read Preparing for FINRA Exams, Part One: OBAs and PSTs. For part two, we will be discussing Cybersecurity.
Cyberattacks, like any other attack, can seemingly appear out of thin air and you should prepare your infrastructure and your employees for them. If you have seen any of the Rocky movies, you know there will always be a new plot, another villain, and another fighter to deal with. The same is true with cyberattacks - there is always another threat, another attack, and another new tactic to combat.
Recently FINRA has seen an increase in successful cyberattacks. These attacks have led to increased attention towards cybersecurity threats. Your firm may have a strong cybersecurity policy already, but this program needs to match how your firm operates. There is no one-size-fits-all program.
Rocky Balboa trains a great deal, for whatever villain he is going to face. It is no different for you. Implementing cybersecurity training and testing for your employees and management teams is a great start. Your employees should have at least a base knowledge around what to look for while working.
Phishing is one of the easiest forms of cyberattacks a criminal can use. You and your employees should be educated on what phishing is and how to detect such attacks. Some scammers plant a “bait” USB, in hopes that an employee will plug the device into his or her computer out of curiosity. The scammer is then able to harvest sensitive information or upload viruses onto an otherwise secure network.
Provide positive reinforcement for employees that bring a potential threat to your attention. Even if their concern turns out to be misplaced, it proves they are taking the time to look for issues. Also, allow your employees to provide feedback on your security policy. Sometimes an outside perspective will shed light on a weak area that you missed initially. Follow an established framework, such as ISO27001, NIST 800-53 or CIS 20, to better protect and educate your firm.
FINRA wants you to be in top fighting condition, come time for the cyberattack bell to ring. They have highlighted common areas to address in your cyber training regimen:
- Terminate employee access in a timely manner
- Revenue sharing arrangements
- Monitor the ability of users to assign themselves various access rights
- Prevent users from performing unauthorized work during off hours
- Prevent users from logging in from different locations simultaneously
- Conduct risk assessments on your data continuously
- Identify the possible risks and the assets that can be affected
- Contractually require vendors to notify your firm in the event of a breach of data
- Fully document the vendor's cybersecurity responsibilities, within a service-level agreement
- Implement patches and software updates
- Update anti-virus software
- Control removable storage devices
- Encrypt your data
Segregation of Duties – Especially for small and medium firms
- Request, implement, and approve cybersecurity rules and program changes
- Do not allow application code to be implemented without supervision
- Supervise all cybersecurity and information security functions
Data Loss Prevention – Especially for small firms
- Create broad rules to prevent Social Security numbers from being transmitted unknowingly
- Establish thresholds to prevent large files being transmitted to untrusted recipients
- Implement formal processes for data loss prevention system rule changes
In a perfect world, your firm would not have to worry about attacks. In the real world, threats and attacks are common. Your cyber program may not be as sound as you think and if you find new vulnerable areas, you should address them ASAP. Technology changes daily and so do potential threats. Set a schedule to constantly boost and adapt your cybersecurity program so when a cybercriminal attacks your firm, you are ready with a knockout punch.
If you have questions about specific standards or regulations and/or how they might apply to you and your business, please consult a licensed attorney in your jurisdiction.
Daeten Smith is a Marketing Specialist at Vertafore, where he helps convey the benefits of Sircon solutions for Broker Dealers and Investment Advisors. When he isn't trying to be creative, you can find him training for his next powerlifting meet.