FINRA Offering New Guidance On Cyber Security Compliance


WASHINGTON—The Financial Industry Regulatory Authority (FINRA) is ramping up on their commitment to assist the industry in its cyber security compliance efforts.

Lexology reported that recent guidance to the industry from FINRA includes:

  1. An Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (FINRA included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets)
  2. The 2018 Regulatory and Examination Priorities, in which FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report

FINRA called cyber security in its Examination Findings Report one of the “principal operational risks facing broker-dealers.” While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing “cutting-edge cyber security programs,” Lexology explained.

FINRA detailed areas in which they observed in the examinations that firms’ cyber security programs were either effective or deficient. Lexology listed what FINRA provided as examples of effective and ineffective cyber security practices:

Examples of Effective Practices Include:

  • Escalation Protocols: Have an escalation process that ensures appropriate personnel at the firm is apprised of issues to ensure attention and resolution
  • Plans to Resolve Issues: Implement detailed resolution steps and timeframes for completion
  • Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests
  • Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training
  • Branch Office Reviews: Include cyber security focused branch exams to assess risks and identify issues
  • Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools

Examples of Deficient Practices Include:

  • Failure to Follow Access Management Steps:
    • Not immediately terminating access of departing employees
    • Failing to have processes to monitor or supervise “privileged users” to identify unusual activity (e.g., assigning extra access rights, unauthorized work outside business hours, or logging in from different geographical locations at or about the same time)
  • Infrequent or No Risk Assessments:
    • No formal risk assessment practices
    • Unable to identify critical assets or potential risks
  • Informal Processes for or Lack of Vendor Management:
    • Failed to have formal processes to assess vendor’s cyber security preparedness
    • Failed to include required notification of breaches involving customer information in vendor contracts
  • Noncompliant Branch Offices:
    • Failed to manage passwords
    • Failed to implement security patches and software updates
    • Failed to update anti-virus software
    • Lacked control of employee use of removable storage devices
    • Use of unencrypted data and devices
    • Failed to report incidents.
  • Segregation of Duties:
    • Failed to segregate duties for requesting, implementing, and approving cyber security rules and systems changes
  • Data Loss Prevention:
    • Lack of rules to ensure all customer sensitive information is covered
    • Permitted or failed to block large file transfers to outside or untrusted recipients
    • Failed to implement formal change-management processes for data loss prevention systems changes
Section: Standard
Word Count: 645
Copyright Holder:
Copyright Year:
Is Based On:
URL: /Fresh-Today/FINRA-Offering-New-Guidance-On-Cyber-Security-Compliance