FINRA released a Report on Selected Cybersecurity Practices that details information security controls FINRA has observed to be effective at securities firms in the areas of: branch controls, phishing attacks, insider threats, penetration testing, and mobile devices. The report follows FINRA's 2015 report, which addressed the main elements of a firm-level cybersecurity program and provided guidance on program improvements.
FINRA notes that it continues to identify “problematic cybersecurity practices” through its examination and risk monitoring program and that firms “routinely identify cybersecurity as one of their primary operational risks.” FINRA states that the areas covered by the report are areas that firms tend to find the most challenging. A representative sample of the highlighted “effective practices” is provided below.
Branch office controls: FINRA states that a branch office's autonomy from the home office can adversely affect a firm's ability to implement a consistent firmwide cybersecurity program, especially in cases where a branch lags behind the head office in upgrading software and hardware or uses non-approved vendors. FINRA identifies the following “effective practices” for branch office controls:
Phishing attacks: FINRA states that phishing attacks, where the sender of an email tries to convince a recipient to provide information or take action, are “one of the most common types of cybersecurity threats that firms discuss with FINRA.” Observed practices to mitigate the threat of phishing attacks include:
Insider threats: Insiders include individuals who currently have or previously had authorized access to firm systems and data and can include employees, contractors, and consultants. FINRA notes that effective insider threat programs typically integrate the following components:
Penetration testing: Penetration testing, which simulates an attack on a firm's computer network to determine vulnerability and evaluate protective measures, is a component in most firms’ cybersecurity program. FINRA notes that firms generally contract with third parties to perform penetration tests and also:
Controls on mobile devices: Mobile devices have emerged as a significant risk for many firms because of their increasingly widespread use by employees and customers. Firms with large numbers of retail customers may also be subject to greater exposure. Risks from mobile devices include malicious advertisements and spam communication; infected, cloned, or pirated mobile applications; vulnerabilities in mobile operating systems; and phishing, spoofing, or rerouting of calls, emails, and text messages. FINRA has observed “effective practices” to mitigate these risks, including:
Further steps
FINRA notes that there is no "one-size-fits-all" approach to cybersecurity and recommends that the specific practices highlighted in this report should be evaluated in the context of a holistic firm-level cybersecurity program. Additional FINRA resources are available here.