Cybersecurity and Technology Governance
Regulatory Obligations and Related Considerations
Rule 30 of the SEC’s Regulation S-P requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information. FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.
Technology-related problems, such as problems in firms’ change- and problem-management practices or issues related to an increase in trading volumes, can expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.
- What is the firm’s process for continuously assessing cybersecurity and technology risk?
- What kind of governance processes has your firm developed to identify and respond to cybersecurity risks?
- What is the scope of your firm’s Data Loss Prevention program, including encryption controls and scanning of outbound emails to identify sensitive information?
- How does your firm identify and address branch-specific cybersecurity risks?
- What kind of training does your firm conduct on cybersecurity, including phishing?
- What process does your firm have to evaluate your firm’s vendors’ cybersecurity controls?
- What types of penetration (“PEN”) testing, if any, does your firm do to test web-facing systems that allow access to customer information or trading?
- How does your firm monitor for imposter websites that may be impersonating your firm or your registered representatives? How does your firm address imposter websites once they are identified?
- What are your firm’s procedures to communicate cyber events to AML or compliance staff related to meeting regulatory obligations, such as the filing of SARs and informing reviews of potentially impacted customer accounts?
- FINRA continues to observe fraudsters and other bad actors engaging in cybercrime that increases both fraud risk (e.g., synthetic identity theft, customer account takeovers, illegal transfers of funds, phishing campaigns, imposter websites) and money laundering risk (e.g., laundering illicit proceeds through the financial system).
- Events involving, or enabled by, cybercrime are expected to be reported via SARs. FINRA has also published Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts), which discusses cybersecurity practices firms may find effective in mitigating risks related to ATOs and funds transfers.
- What controls does your firm implement to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
- How does your firm document system change requests and approvals?
- What type of testing does your firm perform prior to system or application changes being moved into a production environment and post-implementation?
- What are your firm’s procedures for tracking information technology problems and their remediation? Does your firm categorize problems based on their business impact?
Exam Findings and Effective Practices
- Inadequate Risk Assessment Process – Not having an adequate and ongoing process to assess cyber and IT risks at the firm, including, for example, failing to test implemented controls or conducting PEN testing regularly.
- Data Loss Prevention Programs – Not encrypting all confidential data, including a broad range of non-public customer information in addition to Social Security numbers (such as other account profile information) and sensitive firm information.
- Branch Policies, Controls and Inspections – Not maintaining branch-level written cybersecurity policies; inventories of branch-level data, software and hardware assets; and branch-level inspection and automated monitoring programs.
- Training – Not providing ongoing comprehensive training to registered representatives, other firm personnel, third-party providers and consultants on cybersecurity risks relevant to individuals’ roles and responsibilities (e.g., phishing).
- Vendor Controls – Not implementing and documenting formal policies and procedures to review prospective and existing vendors’ cybersecurity controls and managing the lifecycle of firms’ engagement with all vendors (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of non-public client information).
Emerging Vendor Risk
Due to the recent increase in the number and sophistication of cyberattacks during the COVID-19 pandemic, FINRA reminds firms of their obligations to oversee, monitor and supervise cybersecurity programs and controls provided by third-party vendors.
Firms can find guidance in this area in Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Risk Considerations for Managed Service Provider Customers.
- Access Management – Not implementing access controls, including developing a “policy of least privilege” to grant system and data access only when required and removing it when no longer needed; not limiting and tracking individuals with administrator access; and not implementing multi-factor authentication (MFA) for registered representatives, employees, vendors and contractors.
- Inadequate Change Management Supervision – Insufficient supervisory oversight for application and technology changes (including upgrades, modifications to or integration of firm or vendor systems), which lead to violations of other regulatory obligations, such as those relating to data integrity, cybersecurity, books and records, and confirmations.
- Limited Testing and System Capacity – Order management system, online account access and trading algorithm malfunctions due to a lack of testing for changes or system capacity issues.
- Insider Threat and Risk Management – Collaborating across technology, risk, compliance, fraud and internal investigations/conduct departments to assess key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies regarding data access or data accumulation.
- Incident Response Planning – Establishing and regularly testing (often using tabletop exercises) a written formal incident response plan that outlines procedures for responding to cybersecurity and information security incidents; and developing frameworks to identify, classify, prioritize, track and close cybersecurity-related incidents.
- System Patching – Implementing timely application of system security patches to critical firm resources (e.g., servers, network routers, desktops, laptops, mobile phones, software systems) to protect non-public client or firm information.
- Asset Inventory – Creating and keeping current an inventory of critical information technology assets—including hardware, software and data—as well as corresponding cybersecurity controls.
- Change Management Processes – Implementing change management procedures to document, review, prioritize, test, approve, and manage internal and third-party hardware and software changes, as well as system capacity, in order to protect non-public information and firm services.
- Online System Capacity – Continuously monitor and test the capacity of current systems, and track average and peak utilization, to anticipate the need for additional resources based on increases in accounts or trading volumes, as well as changes in systems.
- Customer Account Access – Requiring customers to use MFA to access their online accounts.
FINRA’s Cybersecurity Topic Page, including:
- Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With Potential Account Takeovers and New Account Fraud)
- Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter Websites)
- Information Notice 03/26/20 (Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19))
- Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
- Report on Selected Cybersecurity Practices – 2018
- Report on Cybersecurity Practices – 2015
- Small Firm Cybersecurity Checklist
- Core Cybersecurity Controls for Small Firms
- Firm Checklist for Compromised Accounts
- Customer Information Protection Topic Page
- Cross-Market Options Supervision: Potential Intrusions Report Card
- Non-FINRA Cybersecurity Resources