Finra updates cybersecurity best practices report

The report goes into greater depth and detail to help broker-dealers improve their security practices

Dec 20, 2018 @ 4:56 pm

By Ryan W. Neal

Though brokers say cybersecurity is one of their top priorities, the Financial Industry Regulatory Authority Inc. says it still sees a lot of problematic practices at firms.

To help them improve, Finra on Thursday updated a 2015 report on cybersecurity that details best practices for broker-dealers.

The "Report on Selected Cybersecurity Practices – 2018" covers five topics addressing the evolving threat of cybercrime and the most frequent findings from its examination program.

(More: RIA in a Box has new compliance tool to help RIAs with audits)

"Securities firms rate cybersecurity as one of their top operational risks, and our new report addresses areas that firms tend to find most challenging," David Kelley, surveillance director of member supervision in Finra's Kansas City office, said in a statement.

The topics include cybersecurity controls in branch offices; methods of limiting "phishing" attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintain controls on mobile devices.

The report addresses several critical issues firms are often unfamiliar with, said Bart McDonough, CEO and founder of Agio, a hybrid cybersecurity and managed IT firm. For example, Finra describes the best way of contacting the FBI in the event of a breach.

However, Mr. McDonough said the report could have been presented by simply to increase understanding, especially for firms who don't have a cybersecurity expert who can decipher technical language.

"The report misses an opportunity to highlight the critical need for threat intelligence, where firms have insight into what's happening at other, similar companies," Mr. McDonough said in an email.

"Another shortcoming of the report is that it buries the importance of executive leadership and management support in the middle of the analysis. That has to be a starting point and a tone-setter for the entire firm."

The updated report goes into greater depth and detail than the 2015 report. Finra describes more than 30 specific practices for branch controls that cover written supervisory procedures, asset inventories, technical controls and branch review programs.

Mark Brown, president of cybersecurity compliance firm Advisor Armor, said firms with a "hub and spoke" structure are of particular interest to Finra and the Securities and Exchange Commission, and the additional detail on branch office cybersecurity isn't surprising.

(More: SEC adds cybersecurity bite to its bark)

"Finra and [broker/dealers] have been late to this, and registered reps are in a tug a war with who pays for it," Mr. Brown said in an email. "But in the end, the right controls, evidence and auditing of cybersecurity need to be in place."

Finra also highlights how firms can detect phishing attacks, even if they appear to come from trusted sources.

The report includes an appendix covering core cybersecurity controls for small firms, which, in addition to the "Small Firm Cybersecurity Checklist," can help smaller businesses identify possible cybersecurity controls.

"There is no 'one-size-fits-all' approach to cybersecurity, so Finra has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business," said Steven Polansky, senior director of member supervision in Finra's Washington office.

(More: LPL providing credit monitoring, identity protection to investors exposed by data breach)

Shan Dagli, head of intermediary solutions at Envision, an IT provider, suspects the increased guidance means Finra's 2018 exams revealed a wide disparity in what firms were doing from a cybersecurity standpoint.

"So Finra is taking it upon themselves to provide more guidance," Mr. Dagli said. "With increased guidance, it could lead to more scrutiny. Or it could simply be a manner of wanting to provide clearer guidance/best practices.


What do you think?

View comments

Upcoming event

Sep 24


Diversity & Inclusion Awards

Attend an event celebrating diversity and inclusion as well as recognizing those who are leading the financial services profession in this important endeavor. Join InvestmentNews, as we strive to raise awareness, educate and inspire an... Learn more

Most watched


Finding innovation in your firm

Adam Holt of AssetMap explains how advisers understand they need to grow, but great innovation may be lurking right under your nose.


Finding your edge from Tony Robbins

Guru Tony Robbins has helped a lot of people, but armed with his psychology Financial Advisor Josh Nelson has helped his practice soar.

Latest news & opinion

This strategy can double your estate-tax exemption

'Portability' allows a surviving spouse to tack the decedent's exemption on to his or her own. Despite the higher threshold for paying estate taxes in the 2017 tax law, experts recommend filing for the benefit.

Couple in Morgan Stanley advisory account wins $519,000 arb case over unsuitable investments

Plaintiff's lawyer says junk bonds, futures contracts and derivatives were inappropriate for his clients.

The growth of factor-based investing

Advisers are making decisions about clients' portfolios by using the same characteristics that govern factor-based ETFs.

Finra makes its list to target hundreds of rogue individuals

The regulator sees patterns in the behavior and disclosures of high-risk brokers.

LTC insurer offering co-pays to blunt soaring premium increases

John Hancock policyholders would get a discount on their premium in return for agreeing to pay a bigger portion of their claims in the future.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print