FINRA's new Report on Selected Cybersecurity Practices - 2018 (the "Report") is one of FINRA's latest initiatives to help broker-dealers further enhance their cybersecurity programs. In the Report, FINRA reviewed how firms are (i) bolstering their cybersecurity controls in branch offices, (ii) limiting phishing attacks, (iii) identifying and alleviating insider threats, (iv) strengthening penetration-testing programs, and (v) creating and maintaining controls on mobile devices.

FINRA observed firms instituting the following practices, among others:

  • establishing written supervisory procedures ("WSPs") to (i) define minimum cybersecurity controls and formalize the oversight of branch offices, (ii) mandate the supervision of privileged user system access activities, and (iii) mandate the "capturing of system logs from sources for aggregation into a [Security Information and Event Management] tool";
  • developing branch-level WSPs and other guidance on cybersecurity controls and disseminating such guidance to all branches;
  • establishing a Data Loss Prevention Program and applicable WSPs to oversee and prevent data breaches;
  • mandating branches to perform "initial and recurring inventories of branch assets and update the firm" about any changes;
  • creating identity and access management protocols for registered representatives;
  • devising a framework to identify cybersecurity risks, risk levels and related controls at each individual branch;
  • formulating policies to address phishing; and
  • demonstrating a commitment to the firm's cybersecurity policy through personal compliance with policy requirements.

Commentary / Steven Lofchie

This is one of the most explicit attempts by the regulators to require the formalization of cybersecurity compliance procedures, just as firms would formalize procedures to obtain best execution or to prevent insider trading. Firms that have not done so are thus warned that cyber, and other technology risks, should be fully integrated into their compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.