Finra: Firms begin to heed cybersecurity, but have much to do

Vulnerabilities include access-management systems and people processes, according to report on exam findings

Dec 7, 2017 @ 4:18 pm

By Ryan W. Neal

Adviser awareness about cybersecurity has increased substantially over the past two years, and most firms have either established or are in the process of establishing written policies and procedures for protecting investor information, the Financial Industry Regulatory Authority noted Wednesday in a report detailing findings from a recent self-examination.

But Finra still named cybersecurity as a major threat facing broker-dealers. Even the most robust cybersecurity programs can be compromised when an employee opens a malicious email attachment. Finra said these kind of attacks—known as phishing or spearphishing attacks—were among those most commonly observed in 2016 and 2017.

Other common attacks included ransomware attacks, which hold a computer's data hostage for a payment (usually in bitcoin) and fraudulent third-party wire transfers that use stolen consumer or adviser credentials.


Sayer Martin, the chief operations officer and co-technology officer of Orchestrate, which provides automated workflow tools within Salesforce for advisers, said none of these threats are new. The fact that they remain common problems underscores that firms are either not putting policies in place, or that people aren't following the policies.

(More: Advisers face pressure to automate workflows.)

"There is still work to do, but not necessarily on the understanding side. This is on the implementation side," Mr. Martin said. These attacks, commonly called "social hacks," can be defended against by changing passwords and protecting mobile devices.

Finra said firms can do a better job of addressing access management. This pertains to systems to log, monitor and supervise employee activity to better detect anomalies. Warning signs include performing unauthorized work during off-hours or logging in from unfamiliar locations. The report also said advisers should shut off departing employees' access to digital systems on a timelier basis.

Other common deficiencies included a lack of formal processes for conducting ongoing risk assessments or reviewing technology vendors' cybersecurity credentials. Finra observed that some small- and medium-sized firms didn't segregate cybersecurity responsibilities, instead leaving other employees to take care of them.


Mr. Martin said that in addition to training employees on safe practices, clearly describing responsibilities can help hold people accountable if there is a breach. When firms—especially smaller businesses without the resources for expensive technology—realize that cybersecurity weakness starts with people, they can improve safety.

"Having systems is important, and don't get me wrong it's extremely important, but when I look through this [report], the biggest issue is people," Mr. Martin said.

Though larger firms have the resources to purchase sophisticated tools, Finra found that implementation of those tools could be improved.

Finra also reported that branch offices typically facer greater challenges in managing effective passwords, implementing patches and software updates, maintaining anti-virus software, encrypting data and reporting data breach incidents.


Mr. Martin said the report was comprehensive in identifying the weaknesses, but fell short in providing a set of best practices for firms to adopt. He added that small firms especially could benefit from a blueprint of Finra recommendations.

The report marked the first time Finra released a summary of its examination findings, which also included observations about product suitability, outside business activities, best execution and alternative investments held in individual retirement accounts.

The organization said in a prepared statement that the report was intended to help firms "improve their compliance functions based on the experiences of other firms and better anticipate and address potential areas of concern well before their own cycle examinations."

Finra declined a request to comment further on the report.


What do you think?

View comments

Recommended for you

B-D Data Center

Use InvestmentNews' B-D Data Center to find exclusive information and intelligence about the independent broker-dealer industry.

Rank Broker-dealers by

Upcoming Event

Nov 13


Best Practices Workshop

For the sixth year, InvestmentNews will host the Best Practices Workshop & Awards, bringing together the industry’s top-performing and most influential firms in one room for a full-day. This exclusive workshop and awards program for the... Learn more

Featured video


Financial health of advisory firms is excellent. Or is it?

Deputy editor Bob Hordt and senior columnist Jeff Benjamin discuss the fact that double-digit growth in revenue and assets doesn't necessarily spell a rosy future.

Latest news & opinion

Don't be fooled by the numbers — the industry is in a dangerously vulnerable state

Last year's stock market gains helped advisers turn in solid growth in assets and revenue, but that growth could disappear in the next market downturn.

Divided we stand: How financial advisers view President Trump

InvestmentNews poll finds 49.2% approve of his performance, while 46.7% disapprove. How has that changed over the course of his presidency?

10 states with the most college student debt

Residents of these states have the most student debt when you consider their job opportunities.

Ex-Wells Fargo brokers sue for damages, claiming they lost business in wake of scandals

In a Finra arbitration complaint, two brokers allege that Wells Fargo's problems damaged their business.

Invesco to buy OppenheimerFunds

Deal brings Invesco another $246 billion in assets, as well as high-fee actively managed funds.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print