On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a Report on Selected Cybersecurity Practices (the “2018 Report”). In it, FINRA outlines five topics of focus:
- Cybersecurity controls in branch offices;
- Methods of limiting phishing attacks;
- Identifying and mitigating insider threats;
- Elements of a strong penetration-testing program; and
- Establishing and maintaining controls on mobile devices.
The 2018 report advocated “a firm culture that focuses on cybersecurity awareness and providing regular cybersecurity training.” Such a culture is of particular concern to FINRA because the agency has found that “many of the data breaches FINRA has observed occurred because well-intentioned employees or other users made preventable mistakes.”
The 2018 Report includes an appendix of “Core Cybersecurity Controls for Small Firms” and a reference to FINRA’s Small Firm Cybersecurity Checklist, which can be used to assist firms in revising their existing cyber policies and procedures. Key topics in the appendix include:
- Patch maintenance;
- Secure system configuration;
- Identity and access management;
- Vulnerability scanning;
- Endpoint malware protection;
- Email and browser protection;
- Perimeter security;
- Security awareness training;
- Risk assessments;
- Data protection;
- Third-party risk management;
- Branch controls; and
- Policies and procedures.
Together, these tools are designed to help smaller firms identify and implement relevant cybersecurity measures and countermeasures.
WHAT DOES THIS MEAN FOR ME?
The 2018 Report is only the latest reminder that securities professionals should develop and maintain strong cybersecurity practices. FINRA has made cybersecurity an area of emphasis in recent years, releasing a Report on Cybersecurity Practices in 2015 and identifying cyber risks and threats in its 2017 and 2018 Regulatory and Examination Priorities Letters.
Additionally, cybersecurity remains a high priority for the SEC. As noted in a recent Fairview Flash Report, the SEC will continue to focus on cybersecurity from both examination and enforcement standpoints.
FINRA’s list of topics does not cover all regulatory risks or requirements, and using FINRA’s tools and checklists does not create a “safe harbor” with respect to any state, federal, or other applicable laws and regulatory requirements. Other risks and requirements beyond those described in the 2018 Report remain appropriate to consider.
If you have any questions about policies and procedures governing cybersecurity, please reach out to Fairview directly. Fairview is committed to ensuring its clients’ compliance programs are robust and compatible with all applicable regulations.