This report continues FINRA’s efforts to share information that can help brokerdealer firms further develop their cybersecurity programs. Firms routinely identify cybersecurity as one of their primary operational risks. Similarly, FINRA continues to see problematic cybersecurity practices in its examination and risk monitoring program. This report presents FINRA’s observations regarding effective practices that firms have implemented to address selected cybersecurity risks while recognizing that there is no one-size-fits-all approach to cybersecurity.
When selecting the topics for this report, FINRA considered the evolving cybersecurity threat landscape, firms’ primary challenges and the most frequent cybersecurity findings from our firm examination program. First, we address how firms have strengthened their cybersecurity controls in branch offices, which is especially important for firms with decentralized business models. Second, we discuss limiting phishing attacks, which remain a top cybersecurity challenge for many firms. Third, we explain the importance of identifying and mitigating insider threats, which are of concern for many firms. Fourth, we describe the elements of a strong penetration testing program. Finally, we share observations regarding establishing and maintaining controls on mobile devices, which have emerged as a significant risk for many firms because of their increasingly widespread use by employees and customers.
FINRA notes that the specific practices highlighted in this report should be evaluated in the context of a holistic firm-level cybersecurity program. FINRA’s 2015 Report on Cybersecurity Practices addresses the elements of such cybersecurity programs and provides guidance to firms seeking to improve their current protocols. Further, small firms seeking to develop or improve their cybersecurity practices should review the appendix to this report “Core Cybersecurity Controls for Small Firms.” This appendix, combined with the FINRA Small Firm Cybersecurity Checklist will assist small firms in identifying possible cybersecurity controls.
This report is not intended to express any legal position, and does not create any new legal requirements or change any existing regulatory obligations. Inquiries regarding this report may be directed to Steven Polansky, Senior Director, Member Supervision/ Shared Services, at (202) 728-8331 or [email protected].