What FINRA's Cybersecurity Report Means for Financial Advisors

As the financial industry advances in technology to increase efficiency and enhance client service, firms face a daunting risk of increased exposure to cybersecurity threats and attacks. The changes in how firms and clients use and interact through technology create a variety of new avenues for intrusion that must be proactively addressed.

Earlier this year FINRA issued its Report on Cybersecurity Practices , which suggests using a risk management method to cybersecurity, while noting there isn’t a one-size-fits-all method. The report reviews the results of an industry-wide cybersecurity examination and emphasizes the importance of protecting both investor and firm data. In addition, FINRA outlines effective practices to assist firms with their cybersecurity efforts by determining vulnerabilities in existing systems and analyzing and creating processes to manage risk.

Due to a consistent rise in the number of cybersecurity breaches taking place, advisors need to incorporate security management into their daily practice and ensure everything is being done to protect client and firm data. FINRA’s report provides a list of principles and best practices to guide advisors on cybersecurity and highlights eight key areas:

Leadership

Senior-level management and board of director engagement and knowledge regarding cybersecurity issues is essential to the framework and success of your firm’s cybersecurity process. Involvement and commitment from leadership is critical for firms to achieve cybersecurity goals.

Risk Assessments

Every firm faces cybersecurity risk, no matter the size or business model. To understand your risk, be proactive by completing regularly scheduled risk assessments to identify both external and internal areas of vulnerability. If you don’t know if your system is flawless, a risk assessment is crucial.

Technical Controls

Multiple security controls need to be implemented to protect software and hardware that stores and processes data. Select controls that are appropriate to your technology platform through identity and access management, data encryption, and penetration testing.

Response Plans

FINRA recommends that firms establish policies and procedures, assign roles and responsibilities, and test incident plans for responding to cybersecurity occurrences. FINRA also notes that while it is impossible to address every type of attack, a response plan should outline processes for several different scenarios.

Vendor Relationship Management

Cybersecurity risk that could arise from third-party service providers must be managed by performing due diligence throughout the relationship cycle. Utilize contractual agreements to establish processes for vendors who have access to sensitive data, client information, or firm systems. In addition, develop terms based on the sensitivity level of information the vendor has access.

Staff Training

Define cybersecurity training needs, training cycles, and deliver training to all team members based on your firm’s specific points of exposure. Each employee should have a full understanding of your risk assessment process, threat intelligence research, and the proper incident reporting procedures in the event a device is compromised or infected.

Increase Cyber Threat Intelligence

Assign responsibility for cybersecurity intelligence gathering and analysis. The collected data should then be utilized to recognize, discover, and respond to cybersecurity threats. Your firm should also implement an information sharing process to proactively secure measures that reduce security weaknesses and improve their ability to protect data.

Insurance Coverage

Evaluate insurance coverage for cybersecurity-related events and pay close attention to policy coverages and exclusions. If you hold a cyber-insurance policy, conduct a periodic analysis to review the adequacy of coverage and the ability to reduce the potential impact to your financial statement in the event of an attack.

The Bottom Line

FINRA stated that the report does not create new legal requirements and included the following statement:

“FINRA expects firms to consider the principles and effective practices presented in this report as they develop or enhance their cybersecurity programs. FINRA will assess the adequacy of firms’ cybersecurity programs in light of the risks they face. This report is not intended to express any legal position, and does not create any new legal requirements or change any existing regulatory obligations.”

Financial advisors are taking cybersecurity seriously by implementing programs and procedures and analyzing systems to ensure that client and firm data is secure and well protected from lurking hackers.