Following up on our post from last week on the SEC’s cybersecurity exam sweep, you should also know about FINRA’s recent report on this area. Last month, FINRA published a Report on Cybersecurity Practices that really could be useful reading for anyone in a complex business that hopes to keep its electronic data secure.
Where the Report Came From
In 2014, FINRA conducted targeted examinations at a cross-section of member firms, including large investment banks, clearing firms, online brokerages, high-frequency traders, and independent dealers. FINRA had four objectives: (1) to understand the types of threats firms face; (2) to increase understanding of firms’ risk tolerance, exposure, and major areas of vulnerabilities in their IT systems; (3) to understand firms’ approaches to managing these threats; and (4) to share observations and findings with member firms. As the report repeatedly recognizes, there is no one-size-fits-all approach to cybersecurity. But the report does lay out a road map for what brokerages should be doing to protect themselves, no matter where they are on the food chain.
Key Points in the Report
Just because one size doesn’t fit all doesn’t mean some principles are not common to all. Here are the key points FINRA member firms should consider, followed by our thoughts and quotes from the report:
- A sound governance framework with strong leadership is essential.
As used in this report, “governance” and “governance framework” refer broadly to the establishment of “policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements” in a way that informs its management of cybersecurity risk. Directors need to involve themselves in these issues and should consider the National Association of Corporate Directors publication Cyber-Risk Oversight in doing that. Another effective practice is to evaluate relevant industry frameworks and standards as reference points in developing their approach. The ISO 27001/27002 framework is highlighted as one. The NIST Framework is another. Commissioner Aguilar would approve.
- Risk assessments serve as foundational tools for firms to understand the cybersecurity risks they face across the range of the firm’s activities and assets—no matter the firm’s size or business model.
FINRA views the risk assessment process as a key driver in a firm’s risk management-based cybersecurity program. It is also a potentially useful starting point for firms embarking on the establishment of a cybersecurity program. The NIST Framework, for example, identifies six sets of risk assessment activities or outcomes:
- identify and document asset vulnerabilities;
- review threat and vulnerability information from information sharing forums and sources;
- identify and document internal and external threats;
- identify potential business impacts and likelihoods;
- use threats, vulnerabilities, likelihoods and impacts to determine risk; and
- identify and prioritize risk responses.
- Technical controls, a central component in a firm’s cybersecurity program, are highly contingent on firms’ individual situations.
The one-size-doesn’t-fit-all maxim probably holds more sway here than in any other area. Smaller firms simply aren’t going to be able to afford the technical safeguards that huge investment banks can. That said, “firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself. Effective practices include . . . selecting controls appropriate to the firm’s technology and threat environment, for example: identity and access management; data encryption; and penetration testing.”
- Firms should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.
“A firm’s incident response plan should address different attack scenarios, since incidents can occur along many different attack vectors. While it is not feasible to develop step-by-step instructions for every imaginable incident, firms should at least have prepared response plans for the most common attacks to which the firm may be subjected. Based on information firms provided to FINRA, common events at broker-dealers include DDoS attacks, malware infections, insider threats and cyber-enabled fraudulent wire transfers.” For smaller firms, contracting with a vendor may be the most effective method to provide incident response capability.
- Broker-dealers typically use vendors for services that provide the vendor with access to sensitive firm or client information or access to firm systems. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence across the lifecycle of their vendor relationships.
“Risk-based due diligence on a prospective vendor’s cybersecurity practices is a critical first step in selecting third-party service providers. This due diligence provides a basis for the firm to evaluate whether the prospective vendor’s cybersecurity measures meet the firm’s cybersecurity standards. This can include discussions about the controls a vendor would need to implement to remediate a weakness relative to the firm’s cybersecurity standards. As a general principle, firms should avoid using vendors whose security standards do not at least meet those of the firm in the relevant area of activity.”
- A well-trained staff is an important defense against cyberattacks.
True! People need to know what to do, and what not to do. “FINRA found that many of the cybersecurity attacks that firms identified were successful precisely because employees made mistakes, such as inadvertently downloading malware or responding to a phishing attack.”
- Firms should take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.
“Firms that can take in and analyze cyber intelligence effectively can proactively implement measures to reduce their vulnerability to cybersecurity threats and thereby improve their ability to protect both customer and firm information. The FS-IAC (discussed here) provides a venue for the financial services industry to share threat intelligence, anonymously if so desired, and the ability to turn threat data into “actionable intelligence.”
Somebody at FINRA did a lot of good work on this report. You should read it and consider its recommendations.