Cybersecurity Advisory - FINRA Holiday Cybersecurity Practices

Impact: All Firms

With the holiday season upon us and 2023 coming to an end, FINRA’s Cyber and Analytics Unit (CAU) would like to remind member firms to prepare for cyber threats and attacks that may occur around the holidays. Member firms and their vendors should consider reviewing and validating their Written Supervisory Procedures (WSPs), continuing to educate their employees with respect to cybersecurity and effective practices, and testing incident response plans (IRPs) to prepare for, prevent, or recover from an incident.

During the past year, FINRA observed threat actors conduct cyber-attacks targeting member firms and their vendors in a variety of ways. This included new account fraud (NAF), imposter websites, insider threats, and social engineering attacks, which led to account takeovers (ATOs), data breaches, and ransomware compromises1.

FINRA is highlighting the importance of remaining vigilant during the holidays. Threat actors are known to exploit people and systems this time of year for a variety of reasons, including increased time away from the office, a general uptick in online shopping and financial giving. Firms may consider the following:

  • Ensuring their IRPs, and Business Continuity and Disaster Recovery Plans, are easily accessible to firm personnel in printed form;
  • Ensuring their emergency contacts information is up to date to include firm employees (executive level to cyber team), vendor contacts (managed service providers, cybersecurity insurance carrier, etc.), regulators (FINRA, SEC, state regulators, etc.), and law enforcement partners;
  • Ensuring all staff know their colleagues’ holiday vacation schedules or periods of unavailability, and that all alternate/backup personnel are prepared to identify and respond to cyber-attacks;
  • Practicing scenarios using their IRPs with tabletop exercises and adjust where needed;
  • Educating and reminding staff about social engineering tactics and techniques, and providing them with effective practices for identifying and responding to phishing attempts2, such as:
    • Not clicking suspicious links;
    • Reporting all suspicious links per firm procedures;
    • Reviewing email addresses for misspellings/alterations; and
    • Being aware of emails, text messages or telephone calls demanding urgent actions be taken; and
  • Reviewing WSPs regarding connecting to any firm systems or applications while out of office to include the appropriate use of multi or two-factor authentication (MFA/2FA), virtual private networks, and public Wi-Fi.

Threat actors continue to take advantage of every opportunity to compromise systems, and the holiday season is a time when people may let their guard down. It is the responsibility of all member firms to ensure the safety of their systems to protect investors and the market from harm.

For questions related to this Advisory or other cybersecurity related topics, contact FINRA’s CAU. For additional cybersecurity guidance, please see CISA’s Holiday Online Shopping Tips and Tabletop Exercise Packages.

Note: This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Advisory in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some items may not be relevant due to certain firms’ business models, sizes, or practices. The citation or listing of any organization should not be interpreted as endorsements of the organizations.

1. The terms used in this sentence are defined below:

NAF occurs when threat actors use stolen customer personally identifiable information (PII) to fraudulently open brokerage accounts for the purpose of facilitating fraud and money laundering schemes. 

Imposter websites are fraudulent or illegitimate websites used to deceive users into fraudulent or malicious attacks. 

Insider threats involve current or former employees, contractors and vendors who access confidential information or services to defraud the business or its customers.

Social engineering attacks involve the process of a threat actor tricking a victim into taking an unauthorized action (providing a password, clicking on a malicious link, opening an attachment, etc.)

ATOs involve threat actors using compromised customer information, such as login credentials (username, password, etc.) to gain unauthorized entry to customers’ online brokerage accounts.

Data breaches are the exposure of sensitive customer information often after an ATO of a firm email or online system account and the data is viewed or copied by a bad actor.

Ransomware compromises are often the result of social engineering tactics where the malware is first loaded to the initial victim’s device when an attachment is opened in an email, or an application is downloaded from a nefarious contact on social media. Once the ransomware is loaded on a single device the malware searches the host network looking for other devices and servers to infect. Historically, the goal of ransomware has been to encrypt critical data and then to demand a ransom payment for the victim to receive a decryption key to unlock their data.

2. Phishing is a social engineering tactic deployed through email, text messages, social media, and telephone calls where a threat actor claims to be from a legitimate business or impersonates a known person requesting personal information, financial information, or account credentials (username, password, 2FA/MFA credentials, etc.)