Here Are 5 FINRA’s Cybersecurity Practices To Follow
For all intents and purposes, you should really think about FINRA compliance and cybersecurity as the same thing. While they’re not technically exactly aligned, when it comes to firms like yours, the difference is negligible.
At the end of the day, you need to be secure, in order to be FINRA compliant – are you?
What’s The Foundation Of FINRA Compliance?
Let’s start with the basics – compliance is determined by your firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information/ That means following the three regulations below. Think of them as what’s required of you and how you deal with your data…
- You Need A Written Policy
Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
- You Need To Protect Against Identity Theft
Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
- Your Data Needs To Be Stored The Correct Way
The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
5 FINRA Best Practices You Need To Follow
1. Keep Data Safe Where Branches Are Concerned
The point of Written Supervisory Procedures (WSPs) is that they make sure your branches are as secure as your primary location. No matter how good your onsite cybersecurity is, that doesn’t mean anything to your branches.
Make sure to dictate exactly how branches are expected to protect data, such as
- Mandatory security controls
- Notifications concerning issues and breaches
- Accepted security settings and vendors
- Assignment of duties and responsibilities pertaining to cybersecurity controls
- Training curriculum and testing protocols
2. Protect Against Phishing
Phishing is a wildly common cybercrime tactic, in which a fraudulent email convinces the recipient to share valuable data, execute a significant financial transfer, or download malware. Phishing succeeds when a cybercriminal uses fraudulent emails or texts, and counterfeit websites to get the user to share their personal or business information like their login passwords, Social Security Number or account numbers. They do this to rob a user or organization of their identity and/or steal their money.
Cybersecurity awareness training is becoming a more and more common part of modern IT services. The fact is that users are a key target for cybercriminals; the more they know about cybercrime tactics, the better defended your organization will be.
3. Test Your Defenses
You won’t know how strong your cybersecurity is if you don’t test it. That’s why you need to have penetration testing performed on a regular basis. It’s an authorized attempt to break through your organization’s cybersecurity defenses, determining precisely where your vulnerabilities may be.
FINRA recommends running penetration tests both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.
4. Make Your Users A Cybersecurity Asset
More often than not, cybercriminals will target your staff. They’re usually the weakest links in an organization. This is why you need to have a carefully implemented process to track the lifecycle of accounts on your network.
- Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
- Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
- Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity.
5. Keep Data Protected On Mobile Platforms
Just like how your onsite cybersecurity doesn’t extend to branches, it also may not extend to the mobile devices your staff uses for work. This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.
Maintaining mobile security isn’t just about having the right apps – it means following the right protocols, to eliminate unknown variables and maintain security redundancies:
- Review installed apps and remove any unused ones on a regular basis.
- Review app permissions when installing, and when updates are made.
- Enable Auto Update, so that identified security risks are eliminated as quickly as possible.
- Keep data backed up to the cloud or a secondary device (or both).
Like this article? Check out the following blogs to learn more: