While use of the Checklist is optional, compliance with industry regulations is not. Cybersecurity practices are a key review focus for FINRA and the SEC.
Core Checklist Goals
The five core goals of the Checklist are to:
- Identify and assess cybersecurity threats to small business
- Protect the infrastructure from cyber intrusions
- Detect a compromise or vulnerability
- Respond via a risk-based plan
- Recover or replace lost data
The Twelve Checklist Steps
If you store, use or electronically transmit Personally Identifiable Information (PII) which includes names, social security numbers, and dates of birth or sensitive information such as financial records, account information, tax filings, addresses, collectively private data, then institution of the following 12- step program should be considered:
1. Find the PII
Conduct an internal audit to:
- Locate the private data in your business (network drive, system folder, laptop or email) and complete separate entries for each location
- Rate each level of risk (low, medium, high) and project the impact of loss to the firm or customers
2. Minimize the Eyes
Lessen access to private data:
- Decide if you can remove private data from your systems and networks and still properly conduct business (keep in mind any recordkeeping obligations)
- Identify and remove people or systems that do NOT need access
- Remove the private data or stop sharing
3. Manage Third-Party Risks
Identify and lessen third-party access to private data. If you transmit private data to vendors, a clearing firm or your customers:
- List all third parties
- Assess their security protections:
- obrain at least the most recent SSAE 16 report
- assign to each a risk severity level
- limit third-party access to data required for business reasons
4. Protect Private Data
Assess and remedy your firm policies regarding:
- Password strength and change cycle
- Removable storage media restrictions
- Malware/anti-virus software programs
- Firewall use
5. Protect Systems
Assess and remedy protections for all systems holding private data:
- List all private data systems (e.g. holding trading orders or customer accounts)
- Identify risks that could result from system loss
- Assess and remedy system protections, including:
- password strength and change cycle
- malware/anti-virus programs
- firewall use
- backing up
6. Use Encryption
Assess where private data is encrypted (protected while traveling to external sources) and remedy practices.
- Consider risk severity levels and resources to decide on remedies to make, such as:
- encrypting all outgoing emails
- encrypting all PII and sensitive data at rest or in storage
- masking the data when displayed
7. Protect Employee Devices
Assess device permissions, restrict where indicated; isolate network access to approved and encrypted devices:
- Identify devices with access to private data and assign a risk severity level to such data
- Decide whether to deny employee access to all or some private information
- Decide whether to incorporated heightened protection procedures for devices, e.g., device data encryption and/or the ability to remote erase devices that are lost or stolen
8. Monitor Controls
Draft, implements and monitor firm policies and procedures governing private data. A few monitoring reminders:
- Access to private data must be stopped when relationship to vendors, contractors or employees are terminated
- Conduct periodic training on cybersecurity policies and procedures, addressing firm-specific risks, systems, and incidents history
- Perform cybersecurity due diligence when engaging vendors
9. Test Protections
Consider adding an annual IT penetration test to assess infrastructure protections.
- Hire a third-party vendor or use internal staff to conduct the “pen” test
- Determine the scope of systems to be tested:
- identify internal and external vulnerabilities
- attempt to obtain sensitive info from the firm
- remedy policies as needed
10. Detect Intruders
Asses whether to invest in an Intrusion Detection System (IDS):
- Did firm receive any threat info from outside sources (e.g., FS-ISAC)?
- Are processes in place to act?
- Does firm use tools to regularly scan systems for vulnerabilities, secure configuration, and current patch levels?
- Does firm monitor scan results and address discrepancies?
- Do metrics track your cybersecurity controls and report conditions to senior executives?
- Do firm members report suspicions of intrusion to the CCo or IT manger?
11. Draft a Response Plan
Plan, communicate, respond, and govern as follows:
- Plan responses to the likely incidents:
- loss of customer PII, data corruption, denial of service (DoS) or distributed denial of service (DDoS) attack, network intrusion, customer account intrusion or malware infection
- Respond as appropriate for the risk and your business:
- full or partial shutdown of systems, disconnect system from network, delete and reinstall malware, or disable a user from system access
- inform clients and regulating bodies on remedy
- Consider these cybersecurity governance steps:
- entrust one individual to lead all cybersecurity compliance
- maintain a list of incidents
- create a dashboard to track remedies, programs, and staff training
- review customer complains
- address cybersecurity status at management and compliance meetings
- share metrics with CEO and COO
- buy cyber-security insurance
12. Recover Private Data
Assess where recovery steps are necessary to proceed with business and if subsequent vulnerabilities are addressed:
- Do regularly scheduled backups restore private data if lost in a cyber incident?
- Can you rebuild breached systems if necessary?
- Can compromised files be replaced with clean versions?
- Is a plan in place to:
- install patches, change passwords, and tighten network should a cyber-incident take place?
- heightened network monitoring and protection of resources after an incident?
The Checklist and the Law
“Regulators reviews firms’ approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.”
Expect Regulators to review a firm’s ability to protect sensitive customer information and its compliance with SEC regulations, including:
- Regulation S-P (17 CFR §248.30):
Firms must adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
- Regulation S-ID (17 CFR §248.201-202):
Firms have duties for detection, prevention, and mitigation of identity theft
- The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)):
Firms must preserve electronically stored records in a non-rewriteable, non-erasable format
Small financial services firms can use the Checklist to 1) Identify and inventory their specific digital assets; 2) Assess compromise impact to the firm and its customers; 3) Identify likely protections and processes that secure their assets;4) Perform a risk-based assessment, considering firm resources, the impact of potential breaches, and available protections and safeguards; 5) Decide which risks to remediate.
Small financial services firms should develop a cybersecurity program to best suit their business model. They may use the Checklist as their resource (informed by NIST and FINRA’s Report on Cybersecurity Practices) and/or SIFMA’s small firm check list, NIST guidance, or SEC guidance. Firms should also maintain internal policies and procedures to comply with current cybersecurity federal and state requirements.
Small firms relying on clearing firms and vendors to maintain customer accounts and transact business should not assume that others will be responsible for cyber-incidents.
Some firms may need outside assistance in understanding the technology or terms of the Checklist and implementing a program. Consider working with an outside technology or regulatory compliance professional.