Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA.
FINRA also reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, including :
Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
FINRA reviews firms’ approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.
Small Firm Cybersecurity Checklist
FINRA has created a Cybersecurity Checklist (Excel 114 KB) to assist small firms in establishing a cybersecurity program to identity and assess cybersecurity threats, protect assets from cyber intrusions, detect when their systems and assets have been compromised, plan for the response when a compromise occurs and implement a plan to recover lost, stolen or unavailable assets. This checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices. Use of this checklist does not create a “safe harbor” with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements.
2015 Report on Cybersecurity Practices
FINRA’s Report on Cybersecurity Practices in the broker-dealer industry highlights effective practices that firms should consider to strengthen their cybersecurity programs.
The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.
If an Attack Occurs
In the event of a cyberattack, firms should immediately contact the following Federal agencies:
In addition, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. For a list of relevant legislation per state or territory, please consult the National Conference of State Legislatures website.
Contact Kaliko & Associates, LLC at 201-739-5555 or firstname.lastname@example.org for your questions related to cybersecurity practices or breaches of information from your systems.