FINRA just published a report on the cybersecurity practices of member firms based on the targeted examinations it recently conducted on this very topic. While the report claims that it creates no new legal or regulatory requirements, it doesn’t read that way, and broker-dealers would be foolish to overlook it.
(NB: Cybersecurity goes beyond protecting customer information from disclosure to hackers. Firms are also expected to ensure that their customer and other critical data remains available and undamaged.)
Citing an increase in the frequency and sophistication of attacks on member firms, the report “presents an approach to cybersecurity grounded in risk management” that appears to require a governance framework, risk assessment, technical controls, an incident response plan, vendor management, staff training, and intelligence sharing. Large broker-dealers may have most of these components in place already, but smaller broker-dealers with limited in-house IT support may find it hard to understand what this jargon-filled report even asks them to do.
At the very least, and even for the smallest firms, a “sound governance framework” requires that board and management exhibit a reasonable understanding of cybersecurity risk and the firm’s plan to address it. In the report, FINRA endorsed the principles adopted by the National Association of Corporate Directors as “a useful reference point” for the responsibilities of directors. See Cyber-Risk Oversight (2014 edition). Firms should also be able to point to widely-used data security standards and frameworks like the NIST Framework as jumping-off points for their own efforts, should use metrics to evaluate performance, and should devote the necessary resources to implement any plan they implement. Failure to do these things “increases the regulatory risk for firms” under Rule 30 of Regulation S-P or the Red Flags Rule.
Risk assessments are “foundational,” “no matter the firm’s size or business model.” (Over 80% of firms had established programs, and FINRA was “concerned” about the rest.) Risk assessment involves identifying and classifying information and technology assets, identifying the risks to those assets, determining how those risks might materialize, and establishing a way to handle them. The top three general threats to information assets member firms identified to FINRA were hackers, betrayal by insiders, and operational risks like power failures and natural disasters.
Technical controls are “highly contingent on firms’ individual situations,” though FINRA strongly encourages a regularly updated “defense-in-depth” strategy. Defense-in-depth involves conceptualizing your IT infrastructure in layers (e.g. applications > perimeter > server > databases > data) and applying different controls at each layer in an effort to identify and interdict threats. While the discussion of controls is fairly general, three areas were emphasized: identity and access management, encryption, and third-party penetration testing. Given the prevalence of credential theft and guessing attacks, the emphasis on identity and access management wasn’t surprising, but the report does treat the subject in unexpected depth. The emphasis on encryption is likewise conventional, though FINRA’s expectations in this regard may go beyond current common practice as far as cloud storage and server-based data at rest are concerned. I was a bit surprised by the focus on third-party penetration testing, given the other controls that could have been emphasized. Third-party testing of this type is arguably not the most effective use of resources for smaller firms, though it is hard to see how larger firms could safely avoid it.
The report enumerates a laundry list of “principles and effective practices” for incident responses but concedes that for smaller firms, “contracting with a vendor may be the most effective method to provide incident response capability.” The report makes clear that FINRA expects firm clients to be protected from future harm and made whole for harms that they actually suffered. FINRA also takes a dim view of delayed or inadequate responses, so firms are unlikely to have time to fix defective incident response plans or formulate new ones after the fact.
FINRA’s ideal for vendor management goes well beyond “select and forget.” FINRA expects firms to exercise due diligence in the selection, use, and termination of their vendors. Once again, access control looms large among FINRA’s concerns, and the report makes clear that vendor access must be controlled and monitored on an ongoing basis and should terminate with the vendor relationship. This section of the report includes a helpful summary of contract provisions that thoughtful firms will try to include in their IT vendor contracts.
Staff training in cybersecurity (for regular employees and IT staff) is likewise viewed as critical to prevent well-intentioned staff from making mistakes like downloading malware. The report emphasizes that effective training is interactive, tailored to the employee’s job requirements and the firm’s risks, and frequently updated to address new and evolving threats.
And finally, firms should take advantage of intelligence-sharing opportunities to learn about new threats and responses. Here the report emphasized the importance of the presidentially-established Information Sharing and Analysis Center for Financial Services (FS-ISAC) as a clearinghouse for shared information regarding cyberthreats, used by 72% of sweep respondents. The report complains about firms’ hesitancy to share information and downplays the antitrust and privacy concerns advanced by some firms that have been reluctant to participate.
For larger firms, much of the information, and many of the expectations, in this report will be old hat. These firms will encounter fewer problems with the quality of their plans but more problems with their risk profile and the difficulty of enforcing those complex plans across giant enterprises. Smaller firms, by contrast, may face less risk and be able to implement their plans more easily, but they will confront difficult choices about the cost-benefit of hiring outside consultants to ensure that they live up to FINRA’s increasingly sophisticated cybersecurity expectations.