Finra CARDS data breach risk is real

Potential security risk concerns over Finra’s highly-debated Comprehensive Automated Risk Data System proposal, or CARDS, are not simply hot air, cybersecurity and big data experts say.
The initiative by the Financial Industry Regulatory Authority Inc., which was recently put on hold for further evaluation amid negative feedback, was proposed as a means of collecting and analyzing broker-dealer client data. Finra’s stated goal for CARDS is to catch fraudulent activity early.
A spokesman for Finra said that although the self regulator will not move forward with the present form of the proposal, it is “conducting additional analyses, engaging third-party experts to further analyze these threats and exploring alternative approaches.”
One of the biggest criticism against the proposal is that with high volumes of data being transferred between firms and regulators, the danger of security breaches increases.
“Any time you’re moving private data, you have an opportunity for it to be intercepted,” said Brian Edelman, chief executive of Financial Computer Services, a company that works primarily in cybersecurity.
Lowell Putnam, chief executive of Quovo, a big data company, agreed.
“Any time you have large amounts of data changing hands there are risks, especially anything done on a regular schedule,” Mr. Putnam said. “The same security holes can be exploited.”
ACCESS TO CLIENT DATA
With CARDS, Finra would gain access to reams of client data, which historically has been monitored by brokerages. Data would include a client’s investment time horizon, objectives, risk tolerance and net worth, but no personally identifiable information such as birth dates or Social Security numbers.
CARDS would be an improvement from the current paper-based system because there would be no time lag, according to Barbara Roper, director of investor protection at Consumer Federation of America.
“CARDS allows for an immediate process of information so warning flags can go up,” Ms. Roper said. “It allows a much quicker response by regulators when problems emerge.”
Ms. Roper, who supports the proposal, said brokers have just as great a risk of cybersecurity breaches as regulators would have with CARDS with the use of data collection.
“Firms believe it is worthwhile to take that risk because it’s a necessity of doing business in the modern world,” she said. “We believe it is a necessity of regulating the modern world.”
“There’s no way to design a foolproof system, but you can’t let that paralyze you, just like there’s no way to design a foolproof system at the firm level,” she added.
A draft of what the data record layout would look like for firms that Finra released in October includes 30 tabs of information that brokers would have to upload.

Source: Finra

Sid Yenamandra, chief executive of Entreda, a cyber-security and risk management company, said Finra could counter the cybersecurity risk argument by employing best practices for handling big data such as using encryption to transfer data, having vulnerability tests and auditing any third-party vendors that may be involved. And the self regulator could also ease opponents’ minds by openly discussing where the data will be housed, how it will be integrated with firms and what the policies and procedures would be, he added.
“This is all good in theory, but I think practice will determine how this will unfold and who will implement this and what the strength of that system will be,” Mr. Yenamandra said. “It’s not something that’s going to happen overnight.”