On December 20, 2018 FINRA published its Report on Selected Cybersecurity Practices – 2018, detailing FINRA’s observations regarding effective information-security practices implemented at securities firms.
The report focuses on five topics:
- Cybersecurity controls in branch offices;
- Methods of limiting phishing attacks;
- Identifying and mitigating insider threats;
- Elements of a strong penetration-testing program; and
- Establishing and maintaining controls on mobile devices.
- FINRA observed firms facing challenges maintaining effective cybersecurity controls at their branch locations.
- FINRA recommends firms evaluate whether they need to enhance their branch-focused cybersecurity measures to maintain robust cybersecurity controls to protect customer information across their organizations.
- FINRA observed firms implementing effective practices in this area as it relates to establishing written supervisory procedures, asset inventories, technical controls and branch review programs.
- Social engineering or “phishing” attacks are one of the most of the common cybersecurity threats firms discussed with FINRA.
- Due to the growing sophistication and quality of phishing attacks, it is challenging for recipients to distinguish phishing from legitimate communications.
- FINRA provides a list of effective practices on how to detect potential phishing attacks, including attempts that appear to be from “trusted sources” (i.e., a CEO or other executive, the company help desk, customers or friends).
- Insider threats were identified as a critical cybersecurity risk because an insider typically circumvents many firm controls and may cause material data breaches of sensitive customer and firm data.
- FINRA observed firms that integrated senior management support, access and technical controls, training and measures to identify abnormal user behavior into an overarching risk-based insider threat program were able to effectively address this risk.
- FINRA identified penetration testing as an important element in firms’ cybersecurity programs, especially for firms that manage or store confidential or critical data such as trading strategies, customer PII, information about mergers and acquisitions or confidential information from other entities (e.g., in the case of clearing firms).
- Penetration tests are viewed more as a function of a firm’s business model and technology infrastructure and less of a function of firm size.
- Effective practices observed in this area include adopting a risk-based approach to penetration testing, vetting testing providers, and rigorously managing and responding to test results.
- Due to the widespread and expanding use by employees, customers, consultants and contractors, mobile devices create new opportunities for attacks on sensitive customer and firm data.
- Some risks identified include spam communication, infected, cloned or pirated mobile applications; vulnerabilities in mobile operating systems; and phishing calls, emails and text messages.
- Firms with large numbers of retail customers may be subject to greater exposure.
- FINRA provides a list of best practices for firms to address the risks identified regarding mobile device use by employees, consultants, contractors and customers.
FINRA acknowledges that all firms are different and not all practices will be relevant to each firm, especially smaller firms. As such, FINRA provides a list of “Core Cybersecurity Controls for Small Firms” which details various practices FINRA believes are relevant for many small firms’ cybersecurity programs.
For further information, you can find the entire report here.