Skip navigation

FINRA’s Cybersecurity Best Practices

FINRA announces the latest best practices, including a wealth of cybersecurity suggestions for mobile devices.

Updating its 2015 report, the Financial Industry Regulatory Authority released a cybersecurity report outlining prudent security measures for advisors interested in shoring up their cybersecurity protocols. The report covers controls in branch offices, methods of mitigating phishing attacks, how to identify and counteract insider threats, how to build a strong penetration-testing program and, perhaps most timely, how to establish and maintain controls on mobile devices.

Observing the challenges some firms have in maintaining cybersecurity controls in branch locations, FINRA noted that branch autonomy can run in the face of consistent firm-wide security. After evaluating the need for cybersecurity enhancements, the organization suggested that firms take steps like implementing robust examination programs and formalizing oversight via Written Supervisory Procedures. Establishing asset inventories to outline the scope needing protection are also particularly useful.

The social engineering behind phishing attacks can make them particularly challenging to defend against. In some cases, merely recognizing the attack can be a challenge, so FINRA suggested including phishing scenarios in the firm-level risk assessment process. Effective policies also included: clarifying that users should not click on any links or open any attachments in suspected phishing emails; and developing a process to securely notify IT administrators and compliance staff of suspected phishing attempts. Wire transfers can pose particularly disastrous consequences, so the authority suggested confirming all requests for wire transfers with the customer via telephone or in person.

Insider threats present a unique situation to cybersecurity measures, noted FINRA, because insiders tend to bypass firm controls, which can cause significant material harm, using both sensitive customer and firm data. Overarching, risk-based insider threat programs tend to implement identity and access management policies and technical controls, including heightened controls for individuals with privileged access. Some firms have even included measures to identify potentially abnormal user behavior in the firm’s network, which the organization noted has been effective at mitigating insider threats. Data loss prevention protocols, like multi-factor authentication, are also used in the more robust cybersecurity environments.

Penetration testing, or simulating an attack on a firm’s internally or externally facing computer network, is a powerful way of bolstering a firm’s cyber defenses. Firms should adopt a risk-based approach to penetration testing and thoroughly vet their testing vendors, suggested FINRA. Because test results are only as good as the manner in which they’re measured, using a variety of testing providers and managing test results are effective ways for maximizing testing.

As computing becomes more dispersed and mobile devices are more commonplace, cyber risks associated with mobile devices are rising, observed FINRA. There are a number of ways to safeguard devices, however. Firms can require all personal devices to maintain a separate, secure, encrypted mobile device management application for firm activities, such as sending emails and scheduling events, the authority suggested. It’s also hard to respond to unknown threats, so including reviews of mobile device security controls in branch office audits and inspections, including for remote employees and branch office staff, can be an effective security procedure, FINRA noted.

“There is no one-size-fits-all approach to cybersecurity,” observed Steven Polansky, senior director of member supervision in the organization’s Washington, D.C. office. The latest FINRA report can help firms “determine the right set of practices for their individual business,” he added.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.