Cyber Risks Exploding Part Three
By Harry J. Lew
Despite relentless media coverage, fewer than half of advisors (44 percent) say they fully understand cybersecurity risks and even fewer (29 percent) say they’re prepared to manage and mitigate the risks they face. These were two key findings from a Financial Planning Association (FPA) Research and Practice Institute study.
The results underscore why financial-services regulatory agencies have gone into hyper-drive recently to move their licensees to safer ground when it comes to cyber-threats. But as we’ve discussed in several prior articles, their jobs aren’t done. In Part 1 of this series, we reviewed the nature and scope of financial cyber-risks. In Part 2, we discussed what the Securities and Exchange Commission (SEC) is doing to keep investment advisors (and their clients) safe. In Part 3 (this article), we’ll address the Financial Industry Regulatory Authority’s (FINRA’s) cybersecurity posture and how securities brokers should protect themselves.
Cybersecurity: The FINRA Position
Did you know FINRA does not actually have a cybersecurity rule? That being the case, why is it so active? Because it promotes cyber-safety on the basis of other FINRA and SEC rules. In fact, FINRA states on its website that the evolving nature of cyber-threats and the increasing frequency and sophistication of cyber-attacks—as well as the increasing potential for these attacks to hurt investors, securities firms, and the markets—makes FINRA’s involvement crucial.
A key FINRA concern is making sure securities firms are able to protect the confidentiality, integrity, and availability of sensitive customer information. To this end, FINRA enforces three SEC regulations/laws, including:
- Regulation S-P (17 CFR §248.30), which mandates adoption of written policies and procedures to protect customer information against cyber-attacks and other methods of prohibited access.
- Regulation S-ID (17 CFR §248.201-202, which defines a firm’s duties when it comes to detecting, preventing, and mitigating identity theft.
- The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which makes firms accountable for the electronic preservation of stored records in a non-rewriteable, non-erasable format.
In addition to enforcing the above rules, FINRA views itself as a cybersecurity evangelist—identifying management practices that work, sharing those ideas with member firms, and giving firms feedback when their practices fall short. In this role, the regulatory body says it swaps its enforcement hat (thought not entirely) with an educator’s one, helping members handle issues such as technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.
However, as you might imagine, its current posture is a work in progress. In January 2014, in response to mounting industry cyber-attacks, FINRA announced it would examine members firms to see how they prevented cyber-threats. Among the topics to be addressed: the types of threats facing securities firms, the nature of cyber-vulnerabilities, the most common firm approaches to managing risks, and avenues for intelligence gathering and sharing.
The resulting Report on Cybersecurity Practices (February 2015) generated findings that have guided the regulator and its licensees ever since. Among the major ones:
- Cybersecurity demands strong board and senior-executive involvement.
- Risk assessments are a bedrock tool for effectively identifying and mitigating cyber-risks.
- Firms must adopt highly customized technical controls in order to shield themselves from cyber-attacks.
- Firms should design, install, and test incident-response plans that comprise containment and mitigation, eradication and recovery, customer notification, investigation, and customer loss remediation.
- They should also exercise strong due diligence across all their vendor relationships in order to screen out the cyber-risks those parties might bring to the table.
- Firms should make staff training a high priority in order to help employees avoid obvious security breaches such as clicking on URLs inside unknown e-mails.
- Finally, FINRA members should co-ordinate intelligence sharing between firms in order to mount a collaborative industry self-defense.
With the cyber-security spadework complete, FINRA entered a phase of heightened scrutiny of member firms’ business practices, not to write them up for rule violations, but to spark co-operative problem solving. “It’s really important for FINRA to be engaged in dialog with firms,” explains Susan Axelrod, FINRA’s Executive Vice President, Regulatory Operations. “Our purpose is to help firms understand where the issues and challenges are and to help promote best practices.” She added, “We rarely write up firms or have findings. . . . It’s more along the lines of making recommendations. Very rarely will we refer a firm for enforcement in the cybersecurity area.”
Still, FINRA won’t hesitate to nudge firms to adopt more effective security practices, as well as punish them through enforcement actions when necessary.
The former happened in June 2017 when FINRA identified six common cybersecurity weaknesses based on its recent examinations. Among those were chinks in how firms control access to technology systems, especially by employees who have left their firms; failure to segregate technology application developers; not implementing proper vendor oversight; and dropping the cybersecurity ball in terms of having effective policies and procedures in remote offices.
The latter occurred when FINRA fined 12 securities firms $14.4 million for failing to protect their records against alternation. The problem, it found, was that the firms, including major players such as Wells Fargo Securities, LPL Financial, and RBS Securities, failed to maintain electronic records in “write once, read many” (WORM) format. This prevents the alternation or destruction of records stored electronically. Worse, FINRA said these deficiencies affected millions, and in some cases, hundreds of millions of records, spanning multiple systems and record categories.
FINRA has also moved against securities firms that have failed to properly safeguard client data. For instance, in 2010 they sanctioned a firm for not placing proper controls on the use or sharing of usernames and passwords. They also found the firm didn’t implement adequate procedures to assure that security software was installed on broker-owned computers used at work and at home. Nor did it periodically inspect those computers for problems, even though they were used to access the firm’s portfolio management system. Result: FINRA fined the firm $450,000.
What can you expect from FINRA in the future? Probably not an actual cybersecurity rule or much enforcement, but rather continuing examinations, feedback, and gentle (and not-so-gentle) reminders for up their cyber games. In its 2017 Regulatory and Examination Priorities Letter, FINRA President and CEO Robert Cook spoke of the regulator’s desire to assess firms with great flexibility, acknowledging there’s no “one-size-fits-all” cybersecurity approach. Among the practices FINRA will monitor are:
- Methods for preventing data loss, especially centering on where data lives and how it flows both within a member firm and between members and their vendors.
- Firms’ efforts to protect sensitive client data against insider threats.
- Adequate cyber-controls at branch offices.
- Preserving data records in suitable WORM format.
In short, if you have a securities license, it’s important to stay on top of FINRA’s engagement with this crucial industry threat. Because the more you know about their expectations, the stronger your cyber-defenses will be. And that’s a good thing for both you and your clients.
In Part 4 of this series, we will examine how insurance regulatory agencies have addressed cybersecurity.
- Financial Planning Association
- Securities and Exchange Commission