Finra Exec Sounds Off on Firms’ Most Common Cybersecurity Demerits

Incomplete incident-response plans, insufficient training and a lack of visibility into branch offices’ practices are among the most common cybersecurity-related shortcomings of Financial Industry Regulatory Authority member firms, according to executives at the industry self-regulator.

Many firms’ response plans lack contact information for internal and external partners as well as playbooks for scenarios for which the firm is susceptible, according to Heather Watson, senior principal risk specialist in Finra’s cyber and analytics unit within its member supervision program. Furthermore, response plans might not be customized to the firm’s business, and the firm may not be testing those plans annually — or at all, Watson said last week at Finra’s 2024 cybersecurity conference. A firm’s written supervisory procedures regarding cybersecurity also may not match what the firm does in practice, Watson added.

Regarding branch oversight, many firms don’t have visibility into the devices used in branch offices, Watson noted. As such, home offices may not be able to see if those devices are properly encrypted or equipped with antivirus, firewalls and multi-factor authentication, she said.

Finra has also found that cybersecurity often isn’t included in firms’ onboarding training for new hires or that the cybersecurity training isn’t ongoing, according to Watson. Additionally, firms may not have an onboarding procedure for external partners, resulting in a situation in which a third-party vendor has access to the firm’s critical information and the firm doesn’t have a procedure to immediately cut that access, she said.

Practices such as tracking outside vendors’ access to firm data and enforcing consequences for compliance failures among staff can mitigate cyber-related issues, according to others speaking at the conference.

Firms should compile and maintain a spreadsheet listing the vendors they work with and include information such as what data each vendor has access to, what each vendor’s security measures are and whether each vendor uses multi-factor authentication, according to Jennifer Szaro, chief compliance officer at XML Securities, a broker-dealer firm with locations in Colorado, Maryland, Pennsylvania and Virginia.

“I bet you will find some things you never knew about,” she said.

Oversight of how employees — including senior leadership — engage with technology is critical to firms’ cybersecurity efforts, according to Steven Silberstein, president and chief executive officer at the Financial Services Information Sharing and Analysis Center, a cyber intelligence sharing organization focused on financial services.

It comes down to the firms’ accountability to all parties involved, Silberstein noted.

Firms should broadly require multi-factor authentication and enforce it, so that “if somebody fails, there’s a conversation, and if they fail a second time, there may be a conversation saying, ‘Your bonus may not be as good as it was last year,’” Silberstein said.

“Otherwise, it’s just an interesting exercise. This is a lifestyle of locking the back door every day but doing it digitally,” he added. SOURCE