U.S. Financial Industry Regulatory Authority releases Report on Selected Cybersecurity Practices
In December 2018, the Financial Industry Regulatory Authority (FINRA) released its Report on Selected Cybersecurity Practices (the Report). FINRA is a self-regulatory association that oversees brokerage firms and exchange markets in the United States. The Report covers the areas of Branch Controls, Phishing, Insider Threats, Penetration Testing, and Mobile Devices. These recommendations are significant both for Canadian broker-dealers who operate in the United States as well as Canadian firms looking to implement industry best practices for Cybersecurity and Data Protection.
Canadian Broker-Dealers are already familiar with Cybersecurity requirements including Cybersecurity Best Practices released by the Investment Industry Regulatory Organization of Canada (IIROC).
The first area covered by the Report is the challenge for larger broker dealers of maintaining effective cybersecurity at local branch locations. Local branches may exercise significant autonomy in how they run their operations. This creates challenges of integration with a firm-wide cybersecurity program, particularly in the areas of software patching and upgrades. FINRA suggests firms establish Written Supervisory Procedures (WSPs) to govern minimum cybersecurity controls for local branches. These WSPs can be supplemented by maintaining an up to date inventory of local branch IT assets and an effective examination process for local branch cybersecurity.
Targeted attempts to obtain sensitive information via phishing remains the most common cybersecurity threat broker-dealer organizations face. Today’s phishing scams are more sophisticated than the Nigerian prince emails that began in the late 1990s. Well-researched phishing attacks (spear-phishing) are customized to the recipient and often impersonate a highly trustworthy entity in an attempt to get a user to click an infected link. FINRA recommends broker-dealers implement a robust education program for users. At a minimum, users should be aware of:
- Discrepancies between the name and email address or “reply to” address of the sender or discrepancies between the written address of a link and its true URL;
- Communications from a new individual or corporation with whom the user does not regularly correspond or additional unknown recipients;
- Generic salutations, unexpected timing or communication style from a known colleague or superior;
- Strange spelling or grammatical errors;
- Strange or unexpected attachments;
- Requests for sensitive information such as account numbers, Social Security information, user names or passwords;
- Strange urgency of the request or pressure to circumvent company policies; and
- Notifications that are “too good to be true”.
In addition to user education, the Report also encourages organizations to implement mailbox scanning and filtering to prevent malicious communications from ever reaching employees and conducting tests of employees with mock phishing scenarios. Incidents and the firm’s responses should logged and evaluated, with potential remedial programs for employees who fall short of appropriate anti-phishing standards.
While phishing is one of the largest external cybersecurity risks to an organization, malicious insiders represent a critical internal threat. Insiders have access to key internal systems or data by virtue of their position within an organization. In addition, firms should be on guard for non-malicious insiders who inadvertently expose sensitive data such as the employee who loses an unlocked laptop.
The Report recommends several actions for addressing cybersecurity threats from insiders. Firms need to carefully monitor which employees have access to critical systems and track when access or privileges are changed following the resignation, termination, or transfer of an employee or contractor. FINRA also recommends regular reviews of user entitlements and strong password requirements for all users. Firms can also proactively seek to identify potentially malicious insiders such as those who have received a working, demonstrate a decline in performance, or have made attempts to bypass security protocols.
The Report also addresses penetration testing (also called pen testing). This involves simulated attacks on a firm’s computer network to identify vulnerabilities and asses the effectiveness of the firm’s protective measures and response. Pen tests can take a variety of forms. “White Box” tests occur when the testing team is given information about the system such as a user ID or list of software programs in use. By contrast “Black Box” tests occur where the test team knows nothing about the system in advance. “Gray Box” tests, are the halfway point where the test team knows some information about the system.
FINRA notes that the most effective firms employ a risk-based approach to pen testing which tests higher risk systems more frequently. Higher risk systems can be identified based on the sensitivity of the data contained, the operational importance, and previously known vulnerabilities. Firms should also conduct appropriate due diligence when selecting pen test vendors to ensure they will not publicize or exploit any vulnerabilities which are discovered. Finally, firms should have protocols for tracking results of pen tests and addressing potential vulnerabilities.
The transition to a mobile-firm world also presents a cybersecurity risk to firms, particularly those with Bring Your Own Device (BYOD) policies. To address the potential risks of mobile device use, the Report notes best practices including:
- Prohibiting the use of non-approved personal devices for firm business;
- Requiring employees sign a mobile device agreement agreeing to comply with the firm’s policies and procedures;
- Regularly reviewing mobile device security controls;
- Including mobile device security in employee cybersecurity training;
- Requiring personal devices used for firm business to maintain an encrypted mobile device management (MDM) application;
- Ensuring the firm is able to remotely wipe firm data from a device which is lost or stolen; and
- Removing all software on mobile devices which violates the firm’s security policy.
The Report’s recommendations of Cybersecurity Best Practices are important for firms beyond the United States. In an era of mandatory breach reporting (see IIROC’s proposed Mandatory Reporting of Cybersecurity Incidents and our accompanying blog post), financial services firms want to be doing everything they can to limit the harm from data breaches. Firms should consequently work with counsel to review their implementation of the best practices found in the FINRA report and address delinquencies as necessary.