TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | FINRA, SEC Provide Broker-Dealers with Motivation, Tools To Get the Job Done Related reading: FINRA Imposes $600K Fine on Lincoln National Units



Both the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) have recently issued guidance to broker-dealers on cybersecurity, providing valuable resources for them and for registered investment advisors to combat the growing threat of cyber-attacks. The two reports should provide the tools and information needed by those broker-dealers who have put off focusing on cybersecurity to strengthen their data protection capabilities. Broker-dealers would do well to read these reports in full and then apply their useful industry intelligence toward improving their systems and procedures.

As demonstrated by recent high-profile data breaches, such disruptions can have financially devastating and long-term consequences for companies of all types. Fortunately, both of these reports contain vital information for firms interested in effectively protecting their customers’ private information. By examining particular firms’ cybersecurity practices, the reports provide others with the opportunity to bolster their information-security policies to match the industry leaders, most critically in the following areas: responding promptly to cyber-attacks; cultivating a culture of compliance from the senior level down; training internal staff and outside vendors on information security, and purchasing cybersecurity insurance. With the benefit of these resources and others, firms might find that the job is not as daunting as they feared.

SEC Risk Alert: Useful Statistics 

The SEC’s February 3 Risk Alert was the result of a cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE). The sweep examination found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors. While it is not surprising that so many BDs and RIAs have experienced cyber-attacks, it is a somber reminder that systems are vulnerable. Moreover, OCIE reports that more than half of the BDs and almost half of the RIAs they examined reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of the BDs reported losses related to fraudulent emails but no single loss in excess of $75,000.

The sweep also found that while the vast majority of all BDs and RIAs have adopted written information-security policies, many firms still have gaps in their cybersecurity policies. BDs and RIAs will find the report useful reading to help them learn how they compare to their peers in their development of cybersecurity procedures.

For those registered firms looking ahead to their next examinations, OCIE’s release also provides a hint of how it will focus its efforts in future reviews on the adequacy of a firm’s policies and procedures. It is always helpful to use industry-wide, survey-type information from a regulator to benchmark one’s firm against the general population of firms.

For its sweep, OCIE examined 57 registered BDs and 49 registered RIAs in order to “discern basic distinctions among the level of preparedness of the examined firms.”

The Good News

OCIE reported that most firms have prepared themselves for cyber-attacks. Those firms unsure of how they compare to their peers should read the following statistics and begin refining their information-security policies:

 • 93 percent of BDs and 83 percent of RIAs examined have written information-security policies.

 • Nearly as many have written business continuity plans that address mitigating the effects of a cybersecurity incident and/or outline the firm’s plan for recovering from a disruption.

• A similar number conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences.

• Almost all firms have conducted a firm-wide inventory of their technology resources, including physical devices and systems, software platforms, network resources, connections to firm networks from external sources, hardware, data and software.

 • Almost all firms use encryption.

 • While 65 percent of the BDs examined offer their customers online access to account information, all of them provide their customers with information about reducing cybersecurity risk in conducting business with the firm. And, while 26 percent of RIAs that primarily advise retail clients and provide online access to account information, only three-quarters of those tell their customers how to reduce cybersecurity risks.

• Most of the BDs and a little over half of the RIAs use published cybersecurity risk-management standards, such as those published by the National Institute of Standards and Technology.

Room for Improvement

OCIE also reported findings that indicated that many firms still have a ways to go in developing or improving cybersecurity procedures:

• Only 72 percent of the examined BDs incorporate cybersecurity requirements into their contracts with vendors and other business parties, and only 24 percent of RIAs do so.

• Only 51 percent of firms have procedures related to information-security training for vendors or business partners.

• Very few firms address how they determine whether they are responsible for client losses resulting from cyber incidents.

 • A little over half of the BDs and only 21 percent of RIAs have cybersecurity insurance.

 • Only about two-thirds of the BDs, and less than a third of RIAs, have a designated chief information security officer.

FINRA Report: Best Cybersecurity Practices 

FINRA’s Report on Cybersecurity Practices grew out of its targeted examination of firms last year. To issue the report, FINRA gave careful consideration to the needs of many broker-dealers for information and the tools to combat cyber intrusions. The report is comprehensive, and it doesn’t shy away from delving into technical detail. It is a useful resource for broker-dealers looking to assess and improve their procedures for preventing a cybersecurity attack and dealing with one if and when it comes.

General Principles

As FINRA’s report indicates, cybersecurity has been a regular theme in its annual Regulatory and Examination Priorities Letter since 2007, and over the years, FINRA has conducted surveys and on-site reviews of firms to increase its awareness of how firms control cyber risks. FINRA points to a variety of factors driving firms’ exposure to cybersecurity threats, including advances in technology, changes in firms’ business models and changes in how firms use technology. A prime example of such risks is the increased use of web-based access or mobile devices for brokerage activities.

FINRA defines “cybersecurity” as “the protection of investor and firm information from compromise through the use ... of electronic digital media.” Compromise is the loss of data confidentiality, integrity or availability. FINRA acknowledges that there is no “one-size-fits-all” approach, because firms come in a variety of sizes and business models and acceptable approaches to compliance and supervision may vary widely among firms. But at the end of the day, “firms must have appropriate risk-management measures in place to address the cybersecurity-related threats they face.”

FINRA’s report is perhaps at its most useful when—similarly to the SEC Report— it reviews practices that it observed at firms in each area discussed. These discussions will permit broker-dealers to benchmark their practices against the industry in general and increase the urgency of improving their systems when they find that they fall short.

Governance and Risk Management

A defined governance framework will enable a firm to make decisions about establishing policies and procedures; selecting, implementing and monitoring controls, and establishing an independent assessment function. The governance framework should describe the leadership role that the board of directors, if the firm has one, should play in overseeing the firm’s cybersecurity, and that role will require the board, among other things, to understand that cybersecurity is an enterprise-wide risk-management issue, to have access to expertise in the area and to set expectations for management to establish a risk-management framework with adequate resources.

The report notes the benefits to greater board involvement in ensuring that firms adequately focus on cybersecurity. As evidence, the report cites FINRA enforcement actions related to cybersecurity that frequently made findings of significant governance or management failures. For example, failures to act on warnings that, if heeded, could have mitigated the loss of customer information. In the report, FINRA identifies existing industry frameworks and standards that firms can draw upon in developing their approach to cybersecurity, including those created by the National Institute of Standards and Technology, International Organization for Standardization and International Electrotechnical Commission and ISACA, which FINRA found are used by almost 90 percent of the firms reviewed.

 Cybersecurity Risk Assessment

FINRA recommends that firms conduct regular assessments to identify cybersecurity risks and give priority to remediating these risks. FINRA explains that these risk assessments should focus on specific broker-dealer-oriented risks, that is, the compromise of customer or firm confidential information, misuse of customer assets and theft of proprietary trading algorithms. And, of course, FINRA points out the risk of harm to a firm’s reputation in the event of a breach.

A risk assessment should ensure that a firm’s controls are adequate to prevent harm; detect potential threats; correct a system after a detrimental event, and predict the possibility of an event occurring. The report lists 15 areas in which a firm might want to improve its controls, including controls governing data storage at vendors, employee access or WiFi protection.

Incident Response Planning

The general assumption for designing cybersecurity procedures and controls is that it is not a matter of if a cyber event might occur but when. Firms must have an incident-response plan that will prepare them to manage a cybersecurity event in order to limit damage, maintain the confidence of external stakeholders and reduce recovery time and costs. FINRA points to firms that have a dedicated Computer Security Incident Response Team and for smaller firms approves the step of contracting with a knowledgeable vendor to provide incident response capability.

FINRA cites these incident response steps:

  • Containment to prevent an incident from further damaging a firm and mitigation of any damage;
  • Eradication of any causes of the incident and recovery of systems to restore them to normal operation;
  • Investigation of the incident to determine the extent of loss and identify the causes;
  • Notification of all relevant parties, including regulators and, where appropriate, customers, and
  • Making clients whole, including providing free credit-monitoring services and reimbursing customers for losses.

Vendor Management

Even if a firm has established state-of-the-art internal controls and procedures, it remains vulnerable if it does not ensure that the third-party vendors that it uses—for example, for cloud-based services—are not themselves a source of cybersecurity risks. A vendor or its employees could misuse firm data or the vendor itself could be subject to cyber-attack.

The report provides an extensive list of suggestions for controlling this potential risk area. The recommended practices include:

  • Initial due diligence on prospective vendors;
  • Contractual provisions that set out the vendor’s obligations for protecting firm information and permit ongoing oversight of the vendor, among other things, and
  • Ongoing due diligence of a vendor’s controls and processes.

Staff Training

Even with adequate systems and controls, a firm’s employees who do not adequately understand and apply them can be weak links and high-risk areas. Cybersecurity training, therefore, is an essential component of any program, and the report provides suggestions for the content and frequency of such training. The good news is that 95 percent of firms reviewed already provide mandatory cybersecurity training for their staff. The bad news is that those firms that do not will probably be easily identifiable as outliers.

 Other Areas

  • Technical Controls: The report reviews technical controls approaches in general and specific types of controls to protect firm software and hardware as well as firm data. The discussion is highly technical and will be of value to the IT departments or vendors who are assigned those responsibilities.
  • Cyber Intelligence and Information Sharing: Firms need to keep up with intelligence about cyber threats—through assigned staff or outside vendors—in order to maintain protections against any new or emerging threats. In addition, firms should participate in information-sharing protocols to benefit from available information about new technologies and recent attacks.
  • Cyber Insurance: The market for cyber insurance is evolving rapidly and, in some cases, costs are decreasing as the number of participants increase and the need for coverage becomes more apparent. There are a variety of cyber-insurance plans that provide a range of types of coverage. The report points out that the evolving nature of cyber threats compels many firms to review their coverage annually.    

The Impact of These Reports

Without taking a position on which controls and procedures discussed in the SEC and FINRA reports are more important or effective, it is easy for us to simply recommend that key personnel at all broker-dealers read the reports. After reading them, officials at many firms will derive satisfaction from knowing that they are up-to-date with all of the recommendations and, indeed, that they themselves were the subjects of the best practices that FINRA reports to the industry. Many firms will find that they are largely on point but will identify some gaps that are worth filling in the interest of having a more effective system. And some firms will have been waiting for this “wake-up call” to start the necessary process of putting a system in place.


If you want to comment on this post, you need to login.