Cybersecurity Best Practices: FINRA’s 2019 Exam Observations

FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.

FINRA Changes Approach in Communicating Exam Results

This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.”

Cybersecurity Observations

One focus area of the 2019 Report is, not surprising, cybersecurity. FINRA does not detail findings or violations identified in this area during their 2019 exams, but instead highlights ten (10) observations or best practices for firms to enhance their controls, strengthen risk-management cybersecurity programs, and mitigate against potential cybersecurity incidents. The highlighted areas are:

Branch Controls

Firms have branch-level written cybersecurity procedures and also, importantly, have procedures to ensure that the branch procedures are implemented and functioning. Some firms review implementation through automated surveillance and others through onsite branch exams and visits.

Vendor and Third-Party Management

Firms have adopted, implemented, and documented policies and procedures to manage the lifecycle of the vendor engagements – from on-boarding, on-going monitoring, through the end of the engagement.

Incident Response Planning

Firms establish and regularly practice or test written incident response plans to guide firm personnel in a cybersecurity or information security incident. Firms also implemented procedures to identify, classify, prioritize, track and close such incidents.

Data Protection Controls

Firms encrypt all confidential and sensitive information at the firm and require encryption of such information at vendor locations.

Patch Systems

Firms adopt procedures to ensure timely application of system security patches to all relevant firm resources (network routers, desktops, laptops, and software systems).

Access Controls

Firms implemented policies and procedures to limit system access and data access to those necessary for their job functions. This includes also terminating access when it is no longer needed. Firms also tracked and monitored the activities of those who have access. Finally, firms used multi-factor or two-factor authentication controls for firm personnel, vendors or contractors accessing systems and data from outside the firm.

Manage Asset Inventory

Some firms maintain inventories of information technology assets at the firm. The firms also included legacy assets not supported by vendors and controls to protect those assets.

Data Loss Prevention Controls

Some firms extended data loss prevention controls beyond social security numbers to other sensitive customer profile information.

Training and Awareness

Training all personnel at the firm on cybersecurity obligations and potential threats is key. Effective training includes tailoring the training to roles and responsibilities of personnel. Some firms determined the appropriate frequency of training based on firm risks and job functions.

Change Management Processes

Implementing robust change management procedures that document, review, prioritize, test, approve, and manage hardware and software changes protect firm and customer information.

Take-Aways:

  • As FINRA notes, the frequency of cybersecurity attacks continue to increase. Such attacks succeed when there are weaknesses in cybersecurity programs. Implementing the best practices that FINRA identifies in their report would go a long way to mitigating the risk of a successful attack.

  • The observations identified above were also among those identified by FINRA in its Dec. 2018 Report of Selected Cybersecurity Practices. The fact that FINRA observed these same best practices in 2019 exams is important information for firms that still need to shore up their cybersecurity defenses.

  • FINRA recognizes that there is no “one-size-fits-all” approach to implementing an effective cybersecurity program and firms should continue to evaluate their risk profile and continue to refine their program as new risks are identified.

  • FINRA’s Report provides links to nine other resources to assist firms in understanding the cybersecurity and information security risks they face and best practices to enhance controls and mitigate risk.

  • As an aside, it will be a significant improvement in messaging exam results to firms and the industry if FINRA stays true to abandoning “recommendations” in exams reports and avoids confusion created when subsequent exams cite those same prior “recommendations” as “findings” or violations. Firms and the industry benefit when FINRA timely shares best practices or observations when they identify potential risk areas in exams that are not violations. MORE

Mark Brown