On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms.  This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms.  Below we discuss the report’s key observations and contextualize these insights for members of the financial industry.

Analysis

FINRA, like other regulators, has focused on cybersecurity in recent years.  In 2015, it published a broader Report on Cybersecurity Practices, which offered guidance on the elements of a “holistic firm-level cybersecurity program.”  Similarly, FINRA has regularly identified cybersecurity threats as a key risk to industry participants in its annual Regulatory and Examination Priorities Letter in 2017 and 2018, as well as in a December 2017 Report on Examination Findings which described certain cybersecurity practices that FINRA found to be effective.

In this most recent report, FINRA addresses a narrower set of issues than its 2015 Report by focusing on five “primary challenges and the most frequent cybersecurity findings from [its] firm examination program” related to:  (i) branch controls, (ii) phishing, (iii) insider threats, (iv) penetration testing, and (v) mobile devices.

  • Branch Controls. The report notes that firms’ branch offices are uniquely vulnerable to cybersecurity risks as their autonomy from their home offices can adversely impact their ability to implement or adhere to firm-wide cybersecurity protocols.  In addition, branch offices may lag behind their head offices in upgrading software and replacing hardware, which leaves branch offices more exposed to risk as weaknesses in legacy software and outdated hardware increase over time.

To address these vulnerabilities, FINRA suggests that firms consider implementing new or enhanced guidance and oversight measures.  Such measures may include establishing branch-level written supervisory procedures that outline and consolidate minimum cybersecurity controls and standards into user-friendly guides; inventorying branch data, software, and hardware assets; implementing technical controls; and maintaining robust cybersecurity examination and risk-assessment programs.

With the total number of branch offices registered with FINRA now topping 150,000, the report’s headline focus on cybersecurity controls at branch locations comes as no surprise.  Both FINRA’s 2017 and 2018 annual priority letters included brief discussions about the importance of branch oversight, including independent contractor branches.  Likewise, the Securities and Exchange Commission (“SEC”) has also recently highlighted the importance of branch management for investment advisors in its 2019 OCIE Examination Priorities report.  Ensuring branch controls is clearly a focus of regulators.

  • Phishing. Phishing schemes—which lure users into performing certain actions or providing access to sensitive information to an outside attacker masquerading as a trustworthy entity—remain “one of the most common cybersecurity threats firms have discussed with FINRA.”  The report identifies as effective practices the implementation of technical controls to filter out phishing communications and regular trainings on phishing, inclusion of phishing scenarios in firm-level risk assessment processes, and imposition of disciplinary action for employees who repeatedly violate phishing policies.  Notably, the SEC also highlighted the fraud risks associated with phishing attacks in its October 2018 Report of Investigation.
  • Insider Threats. Insider threats originating from within the organization itself can range from the inadvertent loss of a USB drive to a disgruntled employee seeking to capitalize on their access to sensitive or valuable information.  The report recognizes that insider threats are often uniquely difficult to address, given that the insider frequently has legitimate and ready access to sensitive information.

To address these threats, the report outlines a layered approach of establishing written supervisory procedures that require the monitoring of users’ system access and placing a series of checks on employees’ ability to misuse their credentials.  The report identifies effective measures that include designating a senior manager to oversee the firm’s insider threat controls, limiting system user access lifecycles (e.g., retiring credentials when are no longer in use), conducting periodic reviews of user entitlements, and segmenting or otherwise curtailing privileged users system access according to their roles.

  • Penetration Testing. The report discusses the benefits of regular penetration testing, which simulates an attack on a firm’s computer network to identify system vulnerabilities that attackers may find and exploit.  The report describes a risk-based approach to penetration testing that tests high-risk systems more frequently than low-risk systems and addresses issues involving the former more quickly.  The report also notes that third parties that frequently conduct penetration testing are likely to have specialized knowledge of the cyber risk landscape and the capacity to conduct more realistic testing than firms may be able to do on their own.
  • Mobile Devices. The report’s last area of focus is the heightened cybersecurity risks resulting from firms’ increasing reliance on mobile devices.  The report notes that, as compared to stationary in-office devices, mobile devices are exposed to higher risks of theft, cloning, or infection through the easy installation of malicious applications.  The report discusses measures that have helped mitigate these risks, including prohibiting the use of personal devices for firm business, providing regular training on the use of mobile devices, installing security software, implementing reporting procedures for lost personal or firm devices, and ensuring that the firm is able to remotely wipe its data from devices that are either lost by current or owned by former employees.

Conclusion

FINRA, like other agencies, has recognized that “there is no one-size-fits-all approach to cybersecurity.”  Instead, the appropriateness of a cybersecurity program is generally a fact-specific and individualized determination that depends on the size and scope of, and the likely risks faced by, the firm.  The report does not endorse specific cybersecurity requirements.  However, as a consistent set of practices becomes commonplace across regulatory guidance—like conducting vendor diligence and oversight and establishing regular training and incident response procedures—market participants should expect increased scrutiny when they deviate from those practices.