Broker-Dealers: Rebalance Cybersecurity Initiatives for 2018

WOODLAND HILLS, Calif. - Oct. 26, 2017 - PRLog -- Broker-dealer and RIA firms are becoming more vulnerable to cyber threats everyday due to increased reliance on web-based solutions and mobile device activity. As a regulatory compliance consulting firm our staff can see cybersecurity programs becoming an increasingly important part of business strategy. Data theft by cyber-criminals, attacks by nation states or terrorist groups, hacktivists causing embarrassment, internal attacks from company insiders, employees or competitors; all present a viable threat to financial service businesses. Given the broad spectrum of threats, firms should closely monitor cyber activity at their firm and use methods outlined by FINRA and SEC for implementing their cyber-security program.

Elements of an effective Cybersecurity plan –  http://www.finracompliance.com/resources/

FINRA released a report in February 2015 outlining their expectations of a sound cybersecurity program. They included the following criteria;

·         Cybersecurity Governance and Risk Management – A governance framework for decision making and handling issues; policies, processes, and relevant controls.

·         CyberSecurity Risk Assessment – Conduct regular assessments to identify risks and threats; maintain an inventory of assets posing a risk; prioritize threat level and implement remediation where appropriate.

·         Technical Controls – Protection of firm software and hardware, and data; penetration testing and encryption standards.

·         Incident Response Planning – Policy and procedures for identifying the threat level of a cybersecurity incident and escalating the crisis appropriately for an efficient resolution.

·         Vendor Management – Risk-based analysis of vendors; analysis of cybersecurity threat from data sharing with 3^rd party vendors.

·         Staff Training – Training tailored to staff and business operations to include; testing, periodic training schedules, and remediation efforts.

·         Cyber Intelligence and Information Sharing – Periodic evaluation of cyber threats, strategic objectives, and assessment of the firms' ability to respond to breach or disruption.

·         Cyber Insurance – Analysis of potential to offset remediation expense of a cyber-incident; regular review of coverage and objectives.

Regulators such as FINRA and SEC suggest using a risk-based approach to cybersecurity. This should be implemented along with use of industry frameworks and standards. An example of an acceptable industry framework is the one developed by NIST (National Institute of Standards & Technology), "Framework for Improving Critical Infrastructure CyberSecurity".  The NIST Framework is a flexible method designed around business needs, risk tolerance, and resources.

Below are 7 suggestions from RND Resources Inc. to improve cyber-security strategy for firms updating & reviewing cybersecurity initiatives for 2017-2018. These recommendations when implemented can ease anxiety about regulatory cybersecurity exams and improve chances of a smooth FINRA or SEC examination process.

·        Appoint an executive leader to take ownership of the cybersecurity program for your firm.

·        Review the FINRA released whitepaper on cybersecurity practices for broker-dealers and investment firms annually; including the FinCEN Suspicious Activity Report.

·         Test the firms' incident response plan (IRP) and make adjustments where appropriate.

·         Review employee manuals regarding cybersecurity procedures and policies. Regularly update the employee cybersecurity manual to include new threats and risks.

·         Maintain a written standard for employees to refer to in case of an incident. Be sure to distribute updated policy changes and include them in employee cybersecurity manuals.

·         Strategize a training program that includes testing criteria for each job description and department. Recognize the majority of cyber-incidents are attributed to carelessness, ill-will, or lack of staff training. Test employees on using the plan; periodically, randomly, and without warning.

·         Develop standards for on-boarding 3^rd party service providers who have been given access to electronic data. Annually review each 3^rd party vendors cybersecurity policy and determine their risk to your firms electronic data security.

Going forward with cybersecurity initiatives

In August 2017 the SEC released a National Exam Program Risk Alert from the Office of Compliance Inspections and Examinations (OCIE). The release detailed findings from cybersecurity examinations of BD and RIA firms conducted 2014 through 2016. Weaknesses uncovered in the Cybersecurity 2 Initiative examinations conducted and areas where the OCIE sees potential for improvement are to follow -

A)     While nearly all BD's and RIA's examined have maintained written policy and procedures, many were not reasonably tailored to the firm. Examiners found manuals were too general, vague, or limited in defining examples and best practices. They noted manuals vaguely described procedures for initiating a cyber incident response.

B)      While firms had devised policy  and procedures, many were not adhered to. For instance, annual reviews were not conducted annually. Testing of security protocols were never conducted or rarely improved upon. Some instruction manuals were structured too poorly relative to their critical purpose.

C)      With regards to Regulation S-P, "Privacy and Protection of Consumer Financial Information", installation of software updates and patches were not timely. Poorly maintained or outdated systems put consumer data at risk and pose an unreasonable threat to consumer data. Further, discoveries made from system penetration tests were not remediated in a timely manner.

For more suggestions and news about cybersecurity standards released by FIRNA and SEC, visit RND Resources Inc at www.finracompliance.com

Start-up BD's and BD's needing to update their Cybersecurity policy and procedures - visit the blog at RND Resources Inc.  http://www.finracompliance.com/blog/