Do You Know How To Follow FINRA’s Cybersecurity Advice?

How To Follow FINRA’s Cybersecurity Advice

For all intents and purposes, you should really think about FINRA compliance and cybersecurity as the same thing. While they’re not technically exactly aligned, when it comes to firms like yours, the difference is negligible.

Do you know where to begin?

What’s The Basis Of FINRA Compliance?

Let’s start with the basics – compliance is determined by your firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.

That means following the three regulations below. Think of them as what’s required of you and how you deal with your data.

• You Need A Written Policy: Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
• You Need To Protect Against Identity Theft: Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
• Your Data Needs To Be Stored The Correct Way: The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

5 FINRA Best Practices For Your Firm To Follow

1. Keep Data Safe Where Branches Are Concerned

The point of Written Supervisory Procedures (WSPs) is that they make sure your branches are as secure as your primary location. No matter how good your onsite cybersecurity is, that doesn’t mean anything to your branches.

Make sure to dictate exactly how branches are expected to protect data, such as:

• Mandatory security controls
• Notifications concerning issues and breaches
• Accepted security settings and vendors
• Assignment of duties and responsibilities pertaining to cybersecurity controls
• Training curriculum and testing protocols

2. Defend Against Phishing

Phishing (and all social engineering techniques) is about the element of surprise.

It’s a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.

That’s why cybersecurity awareness training is becoming a more common part of modern IT services. Users are a key target for cybercriminals; the more they know about cybercrime tactics, like phishing, the better defended your organization will be.

3. Don’t Make Assumptions

No matter how much you’ve invested in your cybersecurity, you can’t just assume it’s effective enough to protect you against cybercriminals. A key best practice for cybersecurity is to regularly test your measures to make sure they hold up in the event of an attack, and to identify any unseen vulnerabilities that are putting you at risk.

That’s why FINRA recommends running penetration tests (an authorized attempt to break through your organization’s cybersecurity defenses) both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.

4. Involve Your Staff In Cybersecurity

Do your employees have the knowledge they need to defend your firm?

If you’re not sure, then they probably need training. Security awareness training helps your employees and volunteers know how to recognize, and avoid being victimized by, phishing emails and scam websites.

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

• How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
• How to use business technology without exposing data and other assets to external threats by accident.
• How to respond when you suspect that an attack is occurring or has occurred.

5. Keep Data Protected On Mobile Platforms

It’s no surprise that mobile devices are continuing to become a central and necessary part of the business world. What might be surprising is how unprepared some businesses are for that reality.

No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.

This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.

That’s why you need to have the right mobile cybersecurity measures in place:

• Virtual Private Network
  A VPN creates a secure tunnel for your data to transit the Internet, using a network of private servers.That makes it harder for an attacker to identify you as the source of the data – no matter whether you’re on your mobile device’s data connection, or using an unsecured retail Wi-Fi network while you’re in line for coffee. Even if attackers can intercept your data, the encryption means the attackers can’t understand your data or use it to their advantage.
• Find My Phone
  These types of apps allow you to remotely turn on your phone’s GPS to determine where it is. Furthermore, some of the more security-focused versions of these apps allow you to execute additional actions in order to eliminate security risks.The right monitoring software for mobile devices will protect you from a number of dangerous scenarios, including:
  1. Jailbreaking and rooting company devices
  2. Unauthorized access to company data
  3. Lost or stolen devices that need to be remotely wiped
• Password Managers
  These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault.The downside of using a password keeper program is if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts.

Like this article? Check out the following blogs to learn more:

Sneaky Cybersecurity threats you need to know about

[Free Training] Protect Your Yourself From Hackers

Is Your Business Prepared to Take Action to Upgrade Windows OS Before January 2020?