Cybersecurity and Technology Governance

Regulatory Obligations and Related Considerations

Regulatory Obligations

Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts."¹ FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to member firms’ operations. In addition to member firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.

Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose member firms to financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act Rules 17a-3 and 17a-4.

Related Considerations

Cybersecurity

• What steps has your firm taken to prevent a cybersecurity intrusion, such as a ransomware attack? In the event your firm experiences an intrusion, how will it restore critical data from backups, as well as identify and recover customer information that was exfiltrated?
• How does your firm protect sensitive customer information or confidential firm data from being exposed to, or copied by, nonauthorized individuals or threat actors, including blocking unauthorized copying and monitoring sensitive data in outbound emails?
• How does your firm monitor for imposter websites that may be impersonating your firm or your registered representatives? How does your firm address imposter websites once they are identified?
• What process has your firm established to assess the risks associated with third-party vendors during the initial onboarding and on a regular basis thereafter? In the event there is a report of a security breach at a vendor, can your firm identify all components and services third parties provide?
• What steps do your firm take to ensure only authorized employees, customers or contractors receive authenticated access to firm systems, such as account management, trading and email?
• How does your firm verify the identity of an individual when creating a new account or accessing an existing account?
• What kind of security training does your firm conduct, such as email best practices and phishing? Does your firm provide training to all staff, and not just to registered persons?
• What are your firm’s procedures to communicate cyber events to AML or compliance staff related to meeting regulatory obligations, such as filing of SARs and reviewing potentially impacted customer accounts?
• Does your firm maintain an Incident Response Plan (IRP) that includes guidance, or play books, for common cybersecurity incidents (e.g., data breaches, ransomware infections, account takeovers)?

Branch Controls

• How does your firm identify and address branch-specific cybersecurity risks, including those associated with branch-hosted email or other software systems and servers?
• If your firm permits registered representatives to use personal devices for business, how does your firm ensure its foundational security controls are implemented (e.g., security patches, anti-virus software)?
• Does your firm maintain an inventory of all technology assets branch office staff use to access your firm’s systems or data, including personal computers and servers?
• How does your firm review branch office security controls to ensure compliance with required standards established in your firm’s written policies and procedures?
• Do branch office personnel know how to respond to cybersecurity incidents in the branch, including when to report the incident to the home office?

Observations and Effective Practices

Observations

• Account Access Authentication: Lack of multifactor authentication (MFA) for login access to the firm’s operational, email and registered representative systems for employees, contractors and customers.
• New Account Opening Identity Validation: Ineffective processes and tools for validating the identity of customers opening new accounts or detecting suspicious activity associated with the opening of new accounts (e.g., multiple new accounts opened from the same internet protocol (IP) address).
• Identity Theft Prevention Program (ITPP): Implementing a generic ITPP that is not appropriate to the firm’s size and complexity, and the nature and scope of the firm’s activities; and not periodically updating the firm’s ITPP to reflect changes in identity theft risks.
• Data Loss Prevention (DLP) Monitoring: Not monitoring network activity to identify unauthorized copying or deletion of customer or firm data; and not monitoring outbound emails to identify sensitive customer data in text or attachments.
• Branch Office Security Controls: Not establishing security controls that branch offices must follow when they maintain their own email systems or other application systems or servers; and failing to respond when a branch office is not compliant with established security controls for maintaining a branch hosted email or application server.
• Third-Party Vendor Supply Chain Management: Not maintaining a list of all third-party services or hardware and software components the vendor provides and which the firm’s technology infrastructure uses.
• Digital Transformation and the Adoption of Cloud: Inadequate planning and design when adopting the use of cloud-based systems or technology.
• Log Management Practices: Not sufficiently logging or retaining data related to business or technical activities to effectively assist with the forensic analysis of cybersecurity incidents (e.g., determining the entry point and scope of an attack).
• WSPs: Not updating WSPs to reflect the firm’s current cybersecurity practices; and not enforcing the firm’s WSPs related to cybersecurity.
• Suspicious Activity Report (SAR) Filings: Not having reasonably designed procedures for investigating cyber events and considering whether a SAR filing is required, or not following applicable guidance from the Financial Crimes Enforcement Network (FinCEN) when evaluating whether a cyber event requires the filing of a SAR.

Effective Practices

• Data Backups: Completing regular backups of critical data and systems and ensuring the backup copies are encrypted and stored off-network; and regularly testing the recovery of data from backups to ensure information can be restored from backup tapes.
• Branch Office Procedures: Limiting the use of branch-managed servers for email or other applications (e.g., customer relationship management, reporting) and, if branch-managed servers are permitted, ensuring adequate security controls are maintained.
• Risk Assessments: Regularly assessing the firm’s cybersecurity risk profile based on changes in the firm’s size and business model and newly identified threats; and regularly updating the firm’s cybersecurity program and AML program based on those assessments.
• Account Intrusion: Reviewing potentially violative activity when identified to determine whether further action (e.g., trading and fund restrictions on the accounts) is appropriate.
• Imposter Domains: Monitoring the internet for any new imposter domains that pretend to represent the firm or a registered representative; and maintaining written procedures for responding to reports of imposter domains that include reporting the domains and notifying impacting customers or business partners.
• Outbound Email Monitoring: Implementing systems that scan outbound email text and attachments to identify and potentially block sensitive customer information or confidential firm data.
• Vendor Management: Maintaining a list of all third-party-provided services, systems and software components that can be leveraged (in the event of a cybersecurity incident at one of the firm’s third-party vendors).
• Identity Verification: For firms that allow new accounts to be opened online, developing a comprehensive process for validating the identity of new clients; and using third parties that can verify identities and provide a score related to the level of risk associated with a new account (to help firms determine if additional verification is required).
• Secure Configurations: Confirming that desktops, laptops and servers are using current software systems with secure settings that expose only required services to reduce system vulnerabilities; and implementing timely application of systems security patches.
• Log Management: Capturing log data from a broad set of sources and retaining it for a sufficient amount of time (e.g., a minimum of twenty-four months).
• Potential Intrusion Report Card: Leveraging the FINRA Cross Market Options Supervision: Potential Intrusion Report Card, which provides lists of trades related to potentially fraudulent options transactions facilitated by account takeover schemes.

Additional Resources

• FINRA
  • Cybersecurity Topic Page, including:
    • Core Cybersecurity Threats and Effective Controls for Small Firms
    • Cross-Market Options Supervision: Potential Intrusions Report Card
    • Customer Information Protection Topic Page
    • Firm Checklist for Compromised Accounts
    • List of Non-FINRA Cybersecurity Resources
    • Report on Selected Cybersecurity Practices – 2018
    • Report on Cybersecurity Practices – 2015
    • Small Firm Cybersecurity Checklist
  • Regulatory Notices
    • Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks)
    • Regulatory Notice 22-18 (FINRA Reminds Firms of Their Obligation to Supervise for Digital Signature Forgery and Falsification)
    • Regulatory Notice 21-42 (FINRA Alerts Firms to “Log4Shell” Vulnerability in Apache Log4j Software)
    • Regulatory Notice 21-30 (FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter FINRA Domain Names)
    • Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors)
    • Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts)
    • Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With Potential Account Takeovers and New Account Fraud)
    • Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter Websites)
    • Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
    • Information Notice 03/26/20 (Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19))
• FinCEN
  • Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime