On February 3, 2015 the Financial Industry Regulatory Authority (FINRA) released its long-awaited Report on Cybersecurity Practices, a broad overview of the state of play in the cybersecurity arena for broker-dealers.¹ (Although FINRA has examined only broker-dealers, its Report is helpful for the entire securities industry.) The Report is the culmination of FINRA’s 2014 targeted examination of firms, supplemented by information FINRA has learned in other initiatives. The Report presents FINRA’s current thinking on steps firms should consider taking to mitigate the risk of a cyberattack and steps that may help firms respond to an attack. The bottom line is that financial services firms are the target of cyberattacks and FINRA’s Report is meant to assist firms in responding to those threats.

The 2014 targeted examination, or “sweep,” concentrated on an A-to-Z identification of the risks firms face, the manner in which firms are vulnerable, and the resources available to combat the risk of a data breach. This broad sweep allowed FINRA to dive deep into a cross-section of the industry’s practices regarding cybersecurity. Therefore, the Report serves as an excellent rubric against which financial services firms can grade their own cybersecurity measures. As a point of comparison, FINRA released its cybersecurity Report on the same day that the U.S. Securities and Exchange Commission (SEC) released findings from its cybersecurity exam sweep.² Unlike the SEC’s report, which largely summarized the current state of cybersecurity in the securities industry, FINRA’s Report “is intended to assist firms” in responding to cyber threats.

Despite its breadth, FINRA’s Report is generally a high-level overview of the challenges facing firms when dealing with cybersecurity and potential solutions to those challenges. The Report acknowledges, as other cybersecurity guidance has suggested,³ that firms of varying sizes, serving different customer bases, and operating in different corners of the market may find that different approaches to cybersecurity are best suited for their particular business.

The Report then outlines various options open to different firms, rather than prescribing the use of certain methods. As such, the Report presents broad principles that firms may want to achieve through their cybersecurity programs in a number of key areas. Those principles are familiar and include implementing a sound governance regime with active leadership involvement, engaging in continuing risk assessments, creating a “defense-in-depth” technical control strategy, preparing a sound incident response plan, managing third-party vendor risks, maintaining up-to-date training, and taking advantage of intelligence-sharing opportunities within the industry. FINRA has stated that it expects firms to consider these principles in their day-to-day business and that it will “assess the adequacy of firms’ cybersecurity programs in light of the risks they face.”

In addition to identifying the broad cybersecurity principles it expects firms to consider, FINRA also highlighted a number of specific areas on which FINRA thinks firms should be focusing. FINRA’s discussion of these areas included a technical review of specific mitigation methods, along with best practices and case studies, a few of which are highlighted below:

• Governance and Risk Management
  • Case Study: One FINRA enforcement action was the result of hackers breaching the firm’s servers and acquiring confidential customer information. FINRA found that the firm had no written procedures designed to protect customer information, failed to check for system intrusions, and ignored an auditor’s suggestion of acquiring an intrusion detection system.
    • This case study highlights an important point: regulators will expect that firms learn from their mistakes and react to known cybersecurity deficiencies. The SEC, for example, fined a firm $275,000 for not “tak[ing] immediate corrective action” after receiving an audit report of the firm’s cybersecurity deficiencies. While the firm was considering implementing the report’s recommendations, the firm was hacked.⁴
• Risk Assessments
  • FINRA Best Practices: FINRA recommends that firms conduct regular system assessments to determine risks, to identify informational assets requiring protection, and to prioritize risk remediation.
    • FINRA’s guidance on this point should not be surprising to firms that have already implemented (or begun to implement) a cybersecurity program. The National Institute of Standards and Technology (NIST) Framework for improving cybersecurity, for example, notes that risk assessment-related activities “are foundational” and “enable[] an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.”⁵
• Technical Controls
  • FINRA Best Practices: FINRA recommends that firms implement a “defense-in-depth” strategy involving multiple layers of independent security controls that employ controls appropriate to a firm’s technology and threat environment.
    • As other sections of FINRA’s Report suggest, however, an effective cybersecurity program often requires more than just technical controls. Indeed, the SEC’s Regulation S-P (the “Safeguards Rule”), which serves as the cornerstone of cybersecurity regulation in the securities industry, requires that firms’ policies and procedures also address “administrative” and “physical” safeguards reasonably designed to protect customer records and information.⁶
• Incident Response Planning
  • FINRA Best Practices: According to FINRA, the principle objective of incident response planning is to create a structure that manages the response to a cybersecurity event in a way that best mitigates damage and reduces costs. Incident response plans should be context-specific and should take into account the firm’s likely threats, current cybersecurity intelligence, technical controls, and notification plans.
• Vendor Management
  • Case Study: FINRA highlighted the vendor management practices of one firm’s purchasing department in managing a vendor due diligence process. FINRA noted that the firm employed a steering committee with members from various management groups, a risk and compliance software platform, and a questionnaire to determine potential risks to the firm. The firm also employed context-specific processes that varied in complexity based on the risk of customer information being compromised and required varying levels of management approval based on the risk profile.
    • FINRA’s concern about vendors is well warranted; third-party vendors with weak cybersecurity practices have been the cause of a number of high-profile cyberattacks in recent years.
• Staff Training
  • FINRA Best Practices: Because employees are one of the main sources of cybersecurity risk (either maliciously or inadvertently), FINRA noted that firms should define their training needs based on the firm’s risk profile, determine appropriate training intervals, and deliver interactive training that includes information regarding lessons learned and recent loss incidents.
• Intelligence and Information Sharing
  • FINRA Best Practices: FINRA recommends that firms implement inter- and intra-firm intelligence-sharing procedures to ensure that the firms have current information regarding emerging threats. FINRA also tried to allay fears that information sharing could violate privacy or antitrust laws by citing Federal Trade Commission and Department of Justice statements indicating that high-level information sharing should not cause regulatory concern.

FINRA’s discussion of these areas provides an in-depth look at the manner in which firms addressed each type of cybersecurity risk and provides specific examples of potential implementation strategies. As firms review their cybersecurity risk management plans, the Report may serve as an excellent refresher (or starting point) for the relevant issues at play and the questions that need to be asked. The Report also provides a useful guide for the goals that a firm may want to achieve in implementing a cybersecurity plan. Each firm must, however, decide which level of risk is appropriate based on its business and implement cybersecurity risk management plans accordingly.

While hackers are gonna hack, firms may be able to shake it off with the assistance of FINRA’s Report.⁷

1 FINRA’s Report on Cybersecurity Practices is available at http://www.finra.org/Industry/Regulation/Guidance/CommunicationstoFirms/P602365.
 
2 SEC National Exam Program Examination Priorities for 2015, at 3 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf.
 
3 For example, the NIST Framework for Improving Critical Infrastructure Cybersecurity, on which the SEC based its cybersecurity exam questions, offers a flexible approach to cybersecurity. See NAT’L INST. OF STDS. & TECH., Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
 
4 See SEC Release 34-58515 (Sept. 11, 2008), available at https://www.sec.gov/litigation/admin/2008/34-58515.pdf.
 
5 NIST Framework at 8.
 
6 17 C.F.R. § 248.30(a).
 
7 Cf. T. Swift, Shake It Off (Big Machine, 2014).