ARTICLE
3 January 2019

FINRA Reviews Information-Security Controls

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
FINRA's new Report on Selected Cybersecurity Practices - 2018 (the "Report") is one of FINRA's latest initiatives to help broker-dealers further enhance their cybersecurity programs.
United States Technology

FINRA's new Report on Selected Cybersecurity Practices - 2018 (the "Report") is one of FINRA's latest initiatives to help broker-dealers further enhance their cybersecurity programs. In the Report, FINRA reviewed how firms are (i) bolstering their cybersecurity controls in branch offices, (ii) limiting phishing attacks, (iii) identifying and alleviating insider threats, (iv) strengthening penetration-testing programs, and (v) creating and maintaining controls on mobile devices.

FINRA observed firms instituting the following practices, among others:

  • establishing written supervisory procedures ("WSPs") to (i) define minimum cybersecurity controls and formalize the oversight of branch offices, (ii) mandate the supervision of privileged user system access activities, and (iii) mandate the "capturing of system logs from sources for aggregation into a [Security Information and Event Management] tool";
  • developing branch-level WSPs and other guidance on cybersecurity controls and disseminating such guidance to all branches;
  • establishing a Data Loss Prevention Program and applicable WSPs to oversee and prevent data breaches;
  • mandating branches to perform "initial and recurring inventories of branch assets and update the firm" about any changes;
  • creating identity and access management protocols for registered representatives;
  • devising a framework to identify cybersecurity risks, risk levels and related controls at each individual branch;
  • formulating policies to address phishing; and
  • demonstrating a commitment to the firm's cybersecurity policy through personal compliance with policy requirements.

Commentary / Steven Lofchie

This is one of the most explicit attempts by the regulators to require the formalization of cybersecurity compliance procedures, just as firms would formalize procedures to obtain best execution or to prevent insider trading. Firms that have not done so are thus warned that cyber, and other technology risks, should be fully integrated into their compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More