The Cyber and Analytics Unit within the Member Supervision program of the Financial Industry Regulatory Authority, Inc. ("FINRA") recently published a cybersecurity advisory regarding increasing cybersecurity risks at third-party providers (the "Cybersecurity Advisory").1 The Cybersecurity Advisory highlights third-party risks to FINRA member firms and effective practices to mitigate such risks.
FINRA's Cybersecurity Advisory comes at a time when third-party cyber risk is regularly in the headlines. The Cybersecurity Advisory cites to several third-party incidents in the recent past that impacted member firms, such as the 2023 MOVEit incident, which has been monitored by FINRA over the last year (see Cybersecurity Alert - FINRA Notifies Member Firms of MOVEit Software Vulnerability (CVE-2024-5806)).>2 While the Cybersecurity Advisory does not establish new legal or regulatory requirements, FINRA urges member firms to consider the advisory as they review or update their existing third-party outsourcing/vendor, including cybersecurity, policies and practices.
VENDOR OVERSIGHT IS NOT NEW
Outsourcing arrangements and vendor oversight are a longstanding focus of FINRA. In 2005, FINRA (then the National Association of Securities Dealers, Inc.) published Notice to Members 05-48 (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers), which identified common activities/functions that firms frequently outsource, including accounting/finance services, legal and compliance services, information technology (IT) and cybersecurity, as well as certain administration and operations functions. In light of the significant expansion of the scope and depth of firms' use of technology and vendors to perform risk management and supervisory functions over the years FINRA published, in 2021, Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors),3 outlining common control failures, along with questions to consider when evaluating whether a member firm has adequately addressed vendor management.
In addition to FINRA, other regulators continue to highlight risks associated with, and provide guidance regarding, third-party cybersecurity. For example:
- The U.S. Securities and Exchange Commission's recent changes to Regulation S-P include an increased focus on vendor oversight, requiring covered institutions to "establish, maintain and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers."4
- New York Department of Financial Services' Cybersecurity Requirements for Financial Services requires covered entities to "implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible or held by third-party service providers."5
- Interagency guidance of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency on managing risks associated with third-party relationships.6
EFFECTIVE PRACTICES
The Cybersecurity Advisory identifies common practices of member firms that have successfully handled a cybersecurity incident. According to the staff, effective practices for managing third-party provider cybersecurity risk focus on monitoring, planning, patching and testing, implementing multi-factor authentication ("MFA") and creating data inventories.
MONITORING
The Cybersecurity Advisory identifies certain actions that firms can take to monitor both internal functions, external threats and third-party providers, including:
- Conducting ongoing monitoring and risk assessments of third-party providers;
- Performing ongoing monitoring for lookalike website domains and phishing emails; and
- Quickly identifying anomalous behavior with credential misuse and incorporating this behavior into employee phishing tests to raise threat awareness.
We note that the National Institute of Standards of Technology ("NIST") Cybersecurity Framework 2.0 ("NIST Cybersecurity Framework")7 provides practical guidance for firms to consider when developing a cybersecurity risk monitoring program, including for the monitoring of suppliers throughout the course of the outsourcing/vendor relationship.
PLANNING, PATCHING AND TESTING
The following practices speak to planning, patching and testing to mitigate business impacts from cybersecurity incidents at third-party providers:
- Refining incident response and business continuity plans in the event a third-party provider is taken offline or otherwise unable to operate, and identifying alternative communication channels to contact providers outside of the network;
- Prioritizing patching efforts and implementing fixes to address high-risk vulnerabilities; and
- Regularly testing for failover situations and practicing recovery scenarios from offline backups or when data is re-routed to alternative locations.
The NIST Cybersecurity Framework provides helpful resources for planning, patching and testing within the framework's core functions of "Govern, Identify, Protect, Detect, Respond and Recover." Specifically, the "govern" function outlines how a business will develop, communicate and monitor its overall cybersecurity risk strategy. The "detect" function gives guidance for identifying possible cybersecurity risks. The "protect" function requires that safeguards are used to manage cybersecurity risks.
MFA8
MFA has become an industry standard for identity verification for access to systems. According to the Cybersecurity Advisory, helpful MFA practices include:
- Segmenting networks paired with identity checks and MFA; and
- Implementing MFA for employees using an authentication application and shortening time limits on users' session tokens.
According to NIST, MFA should include two or more authentication factors composing of a combination of the following: something you have (e.g., badge), something you know (e.g., password), something you are (e.g., fingerprint). Further, as a practical consideration, firms should consider developing guidelines with regards to third-party service provider oversight, including establishing policies and procedures for use of MFA by service providers and to limit service providers' access to relevant information systems and nonpublic information.9
DATA INVENTORIES
According to the Cybersecurity Advisory, effective practices with regards to creating and maintaining data inventories include proactively creating a catalog of data types and assessing whether:
- Personally identifiable information (PII) or firm-sensitive information was transmitted to a third-party provider; and
- A third-party provider was allowed access to this information.
We note that data inventories are invaluable tools for understanding the impact of a cybersecurity incident. When a third-party provider's system is impacted, it may take long periods of time for the third-party provider to sort through each of its client's information to provide the client with the full scope of relevant information that was impacted. By creating records of what data is transmitted to a third-party provider, along with designating the minimum amount of privilege necessary for a third-party provider to perform its functions, firms will be in a better position for recovering from a third-party incident.
CONCLUSION
With the increase in firms' reliance on third-party technology to innovate, reduce costs and increase operational efficiency, we likely will continue to see large impacts of vendor cybersecurity incidents across the globe. Given the frequency and public nature of these incidents, we expect firms to face increased regulatory scrutiny of their outsourcing/vendor management processes. Adopting industry standards and implementing regulatory guidance will help firms perform effective vendor risk management and display awareness to regulators of warnings and recommendations with regards to cybersecurity trends impacting the securities industry.
Footnotes
1 FINRA Cybersecurity Advisory – Increasing Cybersecurity Risks at Third-Party Providers (Sept. 9, 2024).
2 FINRA Cybersecurity Alert - FINRA Notifies Member Firms of MOVEit Software Vulnerability (CVE-2024-5806) (Jun. 27, 2024).
3 FINRA Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors) (Aug. 13, 2021).
4 Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Securities Exchange Act of 1934 Release No. 100155A (May 16, 2024), 89 FR 47688 (Jun. 3, 2024), available here.
5 23 NYCRR 500.11(a), available here.
6 Interagency Guidance on Third-Party Relationships: Risk Management, 88 FR 37920 (Jun. 9, 2023), available here.
7 The NIST Cybersecurity Framework (CSF) 2.0 (Feb. 26, 2024).
8 NIST Update: Multi Factor Authentication and SP 800-63 Digital Identity Guidelines (Feb. 15, 2022).
9 See 23 NYCRR 500.11(b)(1).
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.