Finra has found six common cybersecurity weaknesses it has observed from examinations of its member-firms. And the failings read as a to-do list of things broker-dealers should do to ensure their cybersecurity is up to scratch.
These include the lack of training in cybersecurity issues; flaws in staff access to technology systems; weakness in access to technology systems of terminated employees; a lack of segregation of technology application developers; a lack of proper vendor oversight; and the absence of, or deficiencies in, the cybersecurity policies and procedures in remote branch offices.
Those weak spots were identified by Susan Axelrod, executive vice president of Finra’s Office of Regulatory Operations, at the self-regulator’s annual conference last month in Washington, D.C.
Although cybersecurity is among Finra’s top priorities, the self-regulator doesn’t actually have its own set of rules. Finra reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information mainly by reviewing each firm’s compliance with SEC regulations.
These SEC regulations include those that require firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access; those that outline a firm’s duties regarding the detection, prevention, and mitigation of identity theft; and those that require firms to preserve electronically stored records in a non-rewriteable, non-erasable format, commonly known as the write once read many (WORM) format.
“Finra does not have a cybersecurity rule, but it is something we look at and examine for the purpose of identifying issues, concerns or violations, have discussions with firms, provide feedback, provide recommendations where firms can do a better job,” Axelrod said.
In its 2017 regulatory and examination priorities letter, Finra said cybersecurity threats remain one of the most significant risks many firms face. Finra said it recognizes there is no one-size-fits-all approach to cybersecurity, so it tailors its assessment of cybersecurity programs to each firm based on a variety of factors, including its business model, size and risk profile.
Among the areas Finra said it may review are the firms’ methods for preventing data loss, including understanding its data and how it flows through the firm – and possibly to vendors. In the priorities letter, Finra identified two repeated shortcomings in controls. First, it said cybersecurity controls at branch offices – particularly independent contractor branch offices – tend to be weaker than those at firms’ home offices. It said there are poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.
Second, it said firms have failed to fulfill one or more of their obligations to preserve certain records in the WORM format.
In December, Finra fined 12 brokers $14.4 million – including Wells Fargo Advisors and LPL Financial – for failing to update their records correctly in the WORM format, which the industry regulator says left customer and broker-dealer data open to increasingly aggressive hackers.
Axelrod said multiple firms hadn’t effectively trained their relevant staff on cybersecurity issues, leaving those firms vulnerable.
“Fraudsters will always look for the weakest link,” said Bari Havlik, chief compliance officer at Charles Schwab. She said training relevant staff to “find the balance” between being client-friendly and flagging potential issues is crucial. For example, firm representatives must be able to ascertain if the person on the other line or sending an email is posing as a client and should not be given access to any information or service, she said.
Axelrod said multiple firms need to address the flaws in their staff access to technology systems by reviewing who deserves access to those systems, noting that this review should be conducted on a “fairly regular’ basis. She added that multiple firms have shown weakness in access to technology systems of terminated employees by not removing the access quickly enough.
In remote branch offices, Axelrod said there is a need for proper education on how to protect information. For example, there needs to be “continued focus between home offices and those remote offices” on the strength of the passwords, and the encryption of data, she said. And when there are incidents, there should be proper reporting and notification to Finra even if it’s not required, she added, noting this helps improve the relations between the firm and the self-regulator.
“Our exam approach [on cybersecurity] is to engage in a dialogue and make some recommendations that you may want to think about and do better,” she said. “Because we have the ability to look across firms and across firm sizes, we recognize that not every firm has the same level of resources dedicated to cybersecurity.”
Meanwhile, executives at broker-dealer firms at the conference said they have noticed an increase in attempts by fraudsters posing as clients to initiate wire transfers.
“We’ve had several instances in the past months of fraudsters taking over clients’ email accounts, asking for large sums of money to be transferred… The excuse is they’re out of the country, they don’t have cell service, so they can’t talk to you but they need this urgently,” said Kevin Miller, general counsel at Securities America.
As a safety precaution, Securities America doesn’t allow the use of email as a medium of instruction for wire transfers, he said. “For any wire transfer to go out, we need a physical call out to a client to confirm.”
In mid-May, the SEC warned broker-dealers and investment advisors about the widespread ransomware attack that left companies in more than 100 countries vulnerable.
William Wollman, executive vice president of Finra member regulation at the Office of Risk Oversight and Operational Regulation, said its review, in coordination with the SEC, showed that there was “no impact on financial services firms” from that attack.
He said Finra looked at how firms were updating their technology and employing technical controls like anti-spyware systems or firewalls that will protect them during attacks. Finra also looked at whether firms have a pre-defined playbook that outlines what they would do in the event of an attack.
“Knowing ahead of time who’s going to play which roles and how you’re going to respond is very critical,” he said.