Cybersecurity is one of the principal operational risks facing broker-dealers. Recent revelations regarding successful attacks at a number of different entities underscore the need for firms to be vigilant in addressing cybersecurity threats. FINRA has focused on sharing information to help firms better protect their customers and themselves, including through recommendations offered in connection with an examination.1 The primary federal securities law provision governing a firm’s cybersecurity program is SEC Rule 30 of Regulation S-P, which requires firms to have written policies and procedures addressing the safeguarding of customer information and records.
FINRA has seen a significant increase in firms’ attention to cybersecurity challenges over the past two years, including at the executive management level. Awareness about cybersecurity risk has increased substantially. Most firms we examined have established, or were establishing, risk management practices, although the quality of those practices varied substantially both within and across firms. In some cases, firms adopted and executed, on an ongoing basis, formal risk management practices that executive management approved and applied on a consistent, firmwide basis. And some of the firms we regulate are leaders in developing and adopting cutting-edge cybersecurity practices.
Firms with effective cybersecurity programs typically established strong governance structures and processes (scaled to the firm) that addressed cybersecurity in a risk management context. Firms escalated risk acceptance decisions and problems to the appropriate levels for resolution, as well as to inform future program development. Measures firms implemented included regular risk assessments with detailed, time-bound follow-up action plans to resolve higher-risk concerns. Firms supported these assessments with regular vulnerability and penetration tests. Firms also required employees to participate in regular, role-specific and generic cybersecurity training and testing, for example, through phishing email exercises. Firms with branch offices developed and implemented robust branch cybersecurity reviews as part of their branch examination programs. As appropriate to their scale, some firms implemented security information and event management, system usage behavior analytics and data loss prevention tools to identify, monitor, and address potentially anomalous or suspicious activity on their networks.
Selected Examination Findings
As the nature and sophistication of cybersecurity threats continue to evolve, even robust cybersecurity programs can be compromised when, for example, an employee opens an email attachment that contains malware. Common threats FINRA observed in 2016 and 2017 include phishing and spearphishing attacks,2 ransomware attacks and fraudulent third-party wires that frequently involve use of email or stolen customer or financial advisor credentials.
FINRA observed a variety of areas where some firms could improve their cybersecurity programs against these and other threats.3 These areas include:
- Access Management – Some firms FINRA examined did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis. In the case of privileged systems users, some firms did not implement procedures to log, monitor and supervise their activities to detect anomalies such as a privileged user assigning herself or himself extra access rights, performing unauthorized work during off-hours or logging in from different geographic locations concurrently.4
- Risk Assessments – Some firms did not have formal processes to conduct ongoing risk assessments of their data, systems and applications, and could not effectively identify their critical assets and the potential risks to those assets.
- Vendor Management – Some firms did not have formal processes to review a prospective vendor’s cybersecurity preparedness or to ensure new vendors have appropriate protections in place. For example, some firms’ contracts with vendors did not address key questions such as the vendor’s responsibilities regarding notification to the firm in the event of a breach of customer or firm data. In cases where firms contracted with a parent organization for cybersecurity services, the parent’s cybersecurity responsibilities were not sufficiently documented, such as in a service-level agreement.
- Branch Offices – FINRA found that firms’ branch offices typically faced greater challenges in managing effective passwords, implementing patches and software updates, updating anti-virus software, controlling removable storage devices, encrypting data and reporting incidents.
- Segregation of Duties – FINRA observed some medium- and small-sized firms that did not segregate the responsibilities for requesting, implementing, and approving cybersecurity rules and systems changes. For example, some firms allowed application developers to access sensitive data in production systems and in some cases implement application code into production without appropriate oversight. In other cases, network engineers performed cybersecurity and information security functions without formal management oversight.
- Data Loss Prevention – FINRA observed that while larger- and medium-sized firms had implemented data loss prevention tools, there were opportunities to strengthen those implementations, including broadening rules that prevent transmission of Social Security numbers to include additional sensitive data such as customer account numbers; establishing thresholds to flag or block large file transfers to outside and untrusted recipients; and implementing formal change-management processes for data loss prevention system rule changes.
1 For additional information on cybersecurity, including FINRA's Small Firm Checklist, please see FINRA's cybersecurity topic page.
2 "Spearphishing" is an email attack that typically targets an individual or set of individuals with emails that appear to be from an entity or person known to the target.
3 Some of these observations are more relevant to large firms or firms with a highly technology-dependent business model.
4 A "privileged user" is typically a systems, server, network or a database administrator with unrestricted access to powerful commands that enable him or her to create other users, assign access rights, create, copy, delete, and modify any files and databases, build new servers in production or shut down servers and systems. Often these users are assigned to a technology infrastructure department and support numerous business lines and systems across the whole organization.