Financial firms, including broker-dealers and registered investment advisers, are at a high risk of cybersecurity attacks primarily because they control both their own data and the sensitive data related to clients.
In an effort to educate broker-dealers about the cyber-best practices, FINRA published their Report on Selected Cybersecurity Practices - 2018 in December 2018. In this report, FINRA identified five areas where the firms they regulate struggle the most:
- Branch office control
- Phishing attacks
- Insider threats
- Penetration testing
- Employees’ use of mobile devices
Important to note that FINRA “does not create any new legal requirements or change any existing regulatory obligations” in this report. That is not to say, however, that FINRA isn’t including cybersecurity as part of its examination process. To the contrary – they ARE and the more time that passes and FINRA has an opportunity to “learn” from their exams, the more stringent they’ll become, and you can bet your bottom dollar that the new regulatory obligations will soon follow. Best to be prepared now rather than try and play catch-up down the road.
RECOMMENDED BRANCH OFFICE CONTROLS
Firms generally struggle with branch office controls more than anything due, in part, to the increasing number of employees that are working remotely or who travel for their jobs. When these things are allowed, it increases exponentially the firm’s exposure to cyber threats. FINRA, in its report, suggests* security controls such as:
- Comprehensive Written Supervisory Procedures (WSPs) that can be easily referenced to formalize minimum oversight practices;
- Conducting an inventory of branch data, software, and hardware assets;
- Formally designating an individual to be responsible for the firm’s cybersecurity program. Some firms have created new C-level titles for this function – Chief Information Security Officer (CISO);
- Maintaining technical controls; and
- Implementing branch cybersecurity examination programs.
FINRA also suggests that firms have minimum hardware and software options and settings, and even goes so far as to recommend using “approved vendors” to tighten branch/firm security.
“Phishing” isn’t a badly misspelled word that millennials are using to confuse us “seasoned” professionals. It is a word that derived from the attempt to access a firm’s computer systems by tricking employees to allow access through a “fishing expedition.”
To understand phishing, consider the vintage Saturday Night Live sketch that involves a character disguised as a shark attempting to enter a house. The shark knocks on the door of the home pretending to be someone else – the mailman, a candygram, plumber, etc. The person refuses to be fooled claiming, “it isn’t my birthday” or “I didn’t call a plumber,” but the persistence of the shark eventually succeeds and convinces the person to open the door – “I’m not a shark…I’m a dolphin, I promise!.....A dolphin? Well in that case, come on in…CHOMP!”
We can’t post the video here due to some potential copyright infringements, but you’re welcome to search your favorite online video streaming service to see the sketch in its entirety. You may even recognize a few of the actors and see what Murphy Brown (a/k/a Candice Bergen) looked like when she was still worthy of gracing the cover of Vogue magazine!
The point is that these cyber “sharks” are constantly trying to get into your computer systems and they’ll do it by any means necessary. They’ll try to convince you, usually via email, to click a link contained in the email, give them information to access your servers or even wire funds from “their” account. Once you give them what they’re looking for, i.e. access, information, money, etc., there is no turning back. TRAIN YOUR EMPLOYEES TO RECOGNIZE THIS TYPE OF THREAT!
Believe it or not, every employee that is hired by a company is there for legitimate purposes. While there are rogue employees that intentionally divulge confidential information, in our experience these situations are rare; the most common insider threat are well-meaning employees that inadvertently disclose sensitive information that wreaks havoc on the security of the networks.
FINRA suggests that one way to potentially mitigate this insider risk is to implement strong data loss prevention procedures that will “typically identify sensitive customer and firm data based on rules and then block or quarantine the transmission of the data whether by email, data upload or download, file transfer or other method.” A robust compliance/cybersecurity program that incorporates these procedures may prevent, or at least minimize, the threat, either maliciously or inadvertently, of transmission of confidential data.
Imagine paying someone to hack into your computer system! That’s the premise of penetration testing. A firm contracts with cybersecurity vendors to (legally) compromise your network and show you areas of weakness. This can go a long way towards determining how to allocate resources and improve the firm’s cybersecurity.
EMPLOYEES’ USE OF MOBILE PHONES AND OTHER MOBILE DEVICES
The use of mobile devices has brought an entirely new level of potential cybersecurity threats. Let’s say you use a firm laptop with access to sensitive information either on the hard drive or via an application that is simply password protected. You’re late for your flight and leave it in the rental car or in a taxi. Even though there may be a password to access the laptop, studies have shown that it doesn’t take a medium-level hacker long to figure out the password and they then have access to everything on the laptop. Sounds too easy? It is, and the potential for loss is virtually unlimited.
While there is no one-size-fits-all solution for this, FINRA suggests that devices are, at a minimum, equipped with multi-factor authentication access, the latest antivirus software and an encrypted mobile device management application. Some firms even require bio-authentication, such as fingerprints, to access devices.
More recently, the Securities and Exchange Commission published a 10-page report called Cybersecurity and Resiliency Observations which further demonstrates the vulnerability of firms and what their expectations are with respect to examination priorities.
Don’t wait for a cybersecurity incident to happen before your firm takes action! In the long run, it could potentially cost your firm much more in losses, both monetary and reputational, than it would have to implement the policies and safeguards right now!
Let us know if we can help you develop your WSPs and protect your data!