In May, FINRA published a cybersecurity checklist in an effort to aid small firms in creating a cybersecurity program. The checklist can be tailored to a firm’s business model. Cybersecurity is a key focus for FINRA given the evolving nature, sophistication and frequency of cyberattacks. Potential harm to investors, firms and the markets is also another motivating factor for FINRA’s increased concentration on cybersecurity. FINRA’s last report on cybersecurity identified the top three threats to firms as: (1) hackers penetrating firm systems; (2) insiders compromising firm or client data; and (3) operational risks.
In light of the SEC and FINRA’s increased focus on cybersecurity, we thought it would be worthwhile to provide small firms with a summary of FINRA’s Cybersecurity Checklist as well as highlight some areas that you should address in your cybersecurity program. FINRA’s Checklist specifically aims to help firms “identify and assess cyber threats, protect assets from cyber intrusions, detect when their systems and assets have been compromised, develop an incident response plan and implement a plan to recover lost, stolen or unavailable assets.”
The Checklist requires broker-dealers to answer questions regarding their firm’s assets and systems, including the following; (1) Do you store, use or transmit personally identifiable information (e.g., Social Security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically? (2) Do you transmit personally identifiable information or firm sensitive information to a third party, or otherwise allow access to your personally identifiable information or firm sensitive information by a third party? (3) Do your employees (or independent contractors) maintain devices that access personally identifiable information or firm sensitive information? (4) Do you have assets that if lost or made inoperable would impact your firm’s operations (e.g., trading or order management systems)? (5) If your systems, personally identifiable information or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct business?
Depending upon a firms answers to those questions, the following sections applicable to their business would then need to be completed:
- Section 1 – Identify and Assess Risks: Inventory;
- Section 2 – Identify and Assess Risks: Minimize Use;
- Section 3 – Identify and Assess Risks – Third Party Access;
- Section 4 – Protect: Information Assets;
- Section 5 – Protect: Systems Assets;
- Section 6 – Protect: Encryption;
- Section 7 – Protect: Employee Devices;
- Section 8 – Protect: Controls and Staff Training;
- Section 9 – Detect: Penetration Testing;
- Section 10 – Detect: Intrusion;
- Section 11 – Response Plan;
- Section 12 – Recovery.
At a minimum, FINRA believes that firms should know the assets that are vulnerable to a cyberattack or incident and should assign a risk to level those assets. FINRA acknowledges that at small firms a single individual who is responsible for operations, compliance and legal functions might not understand the technology at issue or terms used in the checklist. However, small firms should understand that they will still be responsible for cyber incidents, even if they try to address shortcomings related to a lack of knowledge by working with outside vendors.
About Red Oak Compliance Solutions
Red Oak Compliance Solutions is the global advertising review software of choice in the financial services industry. It is a comprehensive suite of SEC 17A-4 compliant features that are 100% books and records compliant and provides clients with 35% faster approvals and 70% fewer touches or better. We also offer Smart Review(SM), which solves for the storage and maintenance of disclosures, helping firms reduce risk, decrease review times, and increase the speed of distribution of marketing materials. Smart Registration(SM) automates the licensing and registration management process to help reduce regulatory risk and time spent on manual processes. Overall, Red Oak allows firms to minimize risk, reduce costs, and increase compliance review process effectiveness and efficiencies.