In May, FINRA published a cybersecurity checklist in an effort to aid small firms in creating a cybersecurity program. The checklist can be tailored to a firm’s business model. Cybersecurity is a key focus for FINRA given the evolving nature, sophistication and frequency of cyberattacks. Potential harm to investors, firms and the markets is also another motivating factor for FINRA’s increased concentration on cybersecurity. FINRA’s last report on cybersecurity identified the top three threats to firms as: (1) hackers penetrating firm systems; (2) insiders compromising firm or client data; and (3) operational risks.
In light of the SEC and FINRA’s increased focus on cybersecurity, we thought it would be worthwhile to provide small firms with a summary of FINRA’s Cybersecurity Checklist as well as highlight some areas that you should address in your cybersecurity program. FINRA’s Checklist specifically aims to help firms “identify and assess cyber threats, protect assets from cyber intrusions, detect when their systems and assets have been compromised, develop an incident response plan and implement a plan to recover lost, stolen or unavailable assets.”
The Checklist requires broker-dealers to answer questions regarding their firm’s assets and systems, including the following; (1) Do you store, use or transmit personally identifiable information (e.g., Social Security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically? (2) Do you transmit personally identifiable information or firm sensitive information to a third party, or otherwise allow access to your personally identifiable information or firm sensitive information by a third party? (3) Do your employees (or independent contractors) maintain devices that access personally identifiable information or firm sensitive information? (4) Do you have assets that if lost or made inoperable would impact your firm’s operations (e.g., trading or order management systems)? (5) If your systems, personally identifiable information or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct business?
Depending upon a firms answers to those questions, the following sections applicable to their business would then need to be completed:
- Section 1 – Identify and Assess Risks: Inventory;
- Section 2 – Identify and Assess Risks: Minimize Use;
- Section 3 – Identify and Assess Risks – Third Party Access;
- Section 4 – Protect: Information Assets;
- Section 5 – Protect: Systems Assets;
- Section 6 – Protect: Encryption;
- Section 7 – Protect: Employee Devices;
- Section 8 – Protect: Controls and Staff Training;
- Section 9 – Detect: Penetration Testing;
- Section 10 – Detect: Intrusion;
- Section 11 – Response Plan;
- Section 12 – Recovery.
At a minimum, FINRA believes that firms should know the assets that are vulnerable to a cyberattack or incident and should assign a risk to level those assets. FINRA acknowledges that at small firms a single individual who is responsible for operations, compliance and legal functions might not understand the technology at issue or terms used in the checklist. However, small firms should understand that they will still be responsible for cyber incidents, even if they try to address shortcomings related to a lack of knowledge by working with outside vendors.