FINRA Cybersecurity: How Does Your Firm Measure Up? 10 Best Practices for Establishing a Robust Cybersecurity Program.

By Kimberly Johnson, Senior Vice President

Cybersecurity continues to be one of the most critical operational risks for financial services companies. Like many Legal and Compliance professionals who read the 2024 FINRA Annual Regulatory Oversight Report, you may wonder how your firm’s Cybersecurity Program stacks up. Risks such as account takeovers, ransomware or network intrusions, exposure of customer personally identifiable information (PII), and fraudulent financial activity can expose firms to operational failures, financial losses, and reputational risks that may compromise their ability to comply with a myriad of mandatory regulations.

Has your firm implemented a plan to address the new cybersecurity rules that went into effect in 2023? How does your firm treat account access authentication? Does your firm have an adequate planning and design checklist for use when onboarding new cloud-based systems or technology? How does your firm review security controls to ensure compliance with required standards established in your firm’s written policies and procedures (WSPs)? What are your firm’s procedures to communicate cybersecurity events to compliance staff to facilitate compliance with regulatory obligations such as the filing of Suspicious Activity Reports (SARs)? Does your firm maintain an Incident Response Plan (IRP) that includes protocols for cybersecurity incidents such as data breaches, ransomware infections, and account takeovers? These are just a few of the key areas to focus on when implementing or enhancing your program.

Regulations dictate requirements for firms to develop and maintain reasonably designed cybersecurity programs.  These must be consistent with a firm’s specific risk profile, business model and scale of operations.

To kick things off, let’s start with what FINRA deems as the varying threats your program should defend against. In its 2024 Annual Regulatory Oversight Report, FINRA has cited an increase in the type, rate of recurrence, and complexity of cybersecurity incidents, including:

• Imposter Websites: phishing campaigns involving fraudulent emails claiming to be from a legitimate company.
• Insider Threats: incidents where firm employees, advertently or inadvertently, use their access to firms’ systems and data to cause harm to firms, investors, or both.
• Ransomware: cyberattacks where bad actors gain unauthorized access to firm systems, encrypting or otherwise accessing sensitive firm data or customer information, and then holding that hijacked data for ransom; and
• Cybersecurity Events at Critical Vendors: incidents experienced by vendors that provide information technology services to firms, resulting in harm to firms and their investors.

To ensure your firm’s plan measures up, let’s tackle some of the best practices for examining your firm’s existing Cybersecurity Program.

1. Annual Program Review:
   Review your firm’s Cybersecurity Program at least annually to ensure that nothing has changed from a technology, regulatory or process perspective. It is critical to monitor regulatory activity for new rules and changes to existing rules to prepare the business to make required enhancements to keep your program current. Effective dates and compliance dates can vary so pay close attention to the details within each regulatory announcement.
2. Risk Assessment:
   Perform a detailed cybersecurity-focused risk assessment to identify inherent risks, establish controls to mitigate said risks, and deploy a monitoring and testing program to supervise residual risks.

3. Policies and Procedures:
   Update your Written Supervisory Procedures (WSPs) to reflect the firm’s current cybersecurity practices and disseminate the updated content to firm employees. Memorialize security controls the firm has in place and the protocols employees are required to follow. Establish supervision to detect instances when employees are not following the protocols and follow up on any alert that protocols may have been broken. Detail procedures for investigating cybersecurity events and determining whether a SAR filing is required in accordance with applicable guidance from the Financial Crimes Enforcement Network (FinCEN).

4. Data Protection:
   Partner with your firm’s Chief Technology Officer or Chief Information Security Officer to ensure that your firm has taken adequate steps to prevent a cybersecurity intrusion and has developed a plan protect sensitive customer information or confidential firm data from being exposed to or copied by nonauthorized individuals. Detail protocols to restore critical data from backups and recover customer information in the event of a breech. Establish specific risk-based protocols when adopting the use of cloud-based systems or new technology.

5. Employee Training:
   Disseminate frequent, required cybersecurity training to all employees, not just registered employees, to keep the red flags at top of mind. A team is only as strong as its weakest link so be sure to stress the importance of reporting suspicious emails, not clicking on links from unknown senders, and maintaining multi-factor authentication on all firm-related access. Detail consequences associated with non-compliance with the firm’s Cybersecurity Program. Make employees aware of that each person plays a critical role in ensuring the security of company data, account access, and trade secrets.
6. Employee Supervision:
   Implement email monitoring to identify and block customer information or confidential firm data within outbound email text and attachments. Regularly send company-generated phishing emails to employees to evaluate if they identify and report suspicious emails to the IT team. Monitor network activity to identify unauthorized copying or deletion of customer or firm data.

7. Identity Verification:
   Develop a comprehensive process for validating the identity of new clients and recordkeeping all pertinent documentation. Ensure your firm has effective processes and tools for verifying the identity of customers who are opening new accounts or detecting suspicious activity associated with new account fraud. Create escalation protocols for cases that require additional attention or due diligence.

8. Firm Technology:
   Establish tools to identify potential unauthorized access to the firm’s internal and customer-facing systems. Memorialize escalation protocols to ensure prompt action is taken if an incident occurs.

9. Multi-factor Authentication:
   MFA goes a long way in ensuring your account is not accessed by cybercriminals. Use MFA for login access to the firm’s operational, email and registered representatives’ systems for employees, contractors, and customers.
10. Third-Party Vendors:
    Establish an extensive vetting process for any potential third-party vendors using a risk-based approach. Vendors with access to firm data, including PII and account information, are the highest risk. Maintain a list of all third-party services, hardware, and software components the vendor provides, and which the firm’s technology infrastructure uses.

Next, let’s break down your firm’s required compliance with FINRA and SEC regulations. Below are several SEC and FINRA rules related to cybersecurity. Although the list is not comprehensive, it’s a great starting point as you review your plan for potential enhancements.

• Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
• Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program designed to detect, prevent, and mitigate identity theft in connection with the opening or maintenance of covered accounts.
• FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to member firms’ operations.
• 3110 (Supervision) and 3120 (Supervisory Control System)
• Exchange Act Rules 17a-3 and 17a-4 detail which specific records must be retained and for what periods of time.
• FINRA Rule 4530(b) (Reporting Requirements) – Cybersecurity incidents could also trigger this rule which requires members to promptly report to FINRA when it has concluded that it has violated any regulations that meet the standards in FINRA Rule 4530.01 (Reporting of Firms’ Conclusions of Violations).
• A new rule and changes to existing rules were adopted in July 2023 that require public reporting companies to disclose the material aspects of cybersecurity incidents they experience within four business days after the firm determines the incident is material and material information regarding their cybersecurity risk management, strategy, and governance on an annual basis.
• The SEC has also proposed a cybersecurity risk management rule that, if adopted, would require firms to address cybersecurity risks by establishing, maintaining, and enforcing reasonably designed written policies and procedures, and providing the SEC with immediate written electronic notice of significant cybersecurity incidents. Learn more about the new rule and changes to existing cybersecurity rules here.

For additional broker-dealer compliance tips on building end-to-end programs, identifying and mitigating regulatory risks, and more, follow me on LinkedIn. For weekly financial services, Legal, Compliance and Human Resources-related news articles, follow FiSolve on LinkedIn.