FINRA held its biannual Cybersecurity Conference last month, bringing together experts from securities firms, regulators and law enforcement to share effective practices, practical tips and information about new threats and challenges. More than 270 attendees in person and approximately 75 firms via the web saw presentations covering a broad range of topics including:
- Using the National Institute of Standards and Technology Cybersecurity Framework to develop a strong program;
- Preventative measures firms can take to control access to their systems, protect data and educate contractors and staff about sound practices;
- Monitoring for cyber threats and detecting cyber events, attacks and security breaches;
- How to respond to and recover from a cyber attack or security breach; and
- What regulators are seeing during examinations.
Some of the most significant lessons came in the form of real-life cybersecurity stories told by the presenters. Here are five such experiences.
The Fake Wire Request and the Charity Golf Tournament
How did perpetrators know when a firm was most vulnerable to a phony wire transfer request? The firm clued them in through its social-media posts, explains Michael Driscoll, Special Agent in Charge, Counterintelligence/Cyber Division, Federal Bureau of Investigation:
Thumb Drives in the Parking Lot
Many employees pass the usual phishing tests and comply with standard cybersecurity policies, but can they resist an opportunity to see confidential information? Nicole (Nicky) Olivo, Compliance Liaison and Information Security Officer, TFS Securities, Inc. tells of a novel way she found out:
The Vulnerability That a Firm Didn’t Know It Had
A firm told examiners there was nothing to see, because it relied on vendors to store customer data. On closer inspection, the firm learned of an exposure it hadn’t recognized, says Len Smuglin, Information Technology Examination Manager, FINRA Member Supervision:
Taking the Tabletop Exercise Up a Notch
It was difficult for her colleagues to grasp the impact of a cybersecurity attack until she staged an exercise that denied them access to their email and network, says Jennifer Szaro, Chief Compliance Officer, Lara, May & Associates, LLC:
Interrupting the Chain of Trust
Multi-factor authentication is a positive step but not fool-proof, according to Salvatore Montemarano, Senior Specialized Examiner – Information Technology, Technical Controls Program, Office of Compliance Inspections and Examination, U.S. Securities and Exchange Commission. He tells of a hack that inserted itself in between trusted devices:
For additional information see FINRA’s Cybersecurity page. A recording of the conference is available to FINRA member firms and Certified Regulatory and Compliance Professional (CRCP) program graduates on the 2020 FINRA Cybersecurity Conference page.