Though brokers say cybersecurity is one of their top priorities, the Financial Industry Regulatory Authority Inc. says it still sees a lot of problematic practices at firms.
To help them improve, Finra on Thursday updated a 2015 report on cybersecurity that details best practices for broker-dealers.
The "Report on Selected Cybersecurity Practices – 2018" covers five topics addressing the evolving threat of cybercrime and the most frequent findings from its examination program.
"Securities firms rate cybersecurity as one of their top operational risks, and our new report addresses areas that firms tend to find most challenging," David Kelley, surveillance director of member supervision in Finra's Kansas City office, said in a statement.
The topics include cybersecurity controls in branch offices; methods of limiting "phishing" attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintain controls on mobile devices.
The report addresses several critical issues firms are often unfamiliar with, said Bart McDonough, CEO and founder of Agio, a hybrid cybersecurity and managed IT firm. For example, Finra describes the best way of contacting the FBI in the event of a breach.
However, Mr. McDonough said the report could have been presented by simply to increase understanding, especially for firms who don't have a cybersecurity expert who can decipher technical language.
"The report misses an opportunity to highlight the critical need for threat intelligence, where firms have insight into what's happening at other, similar companies," Mr. McDonough said in an email.
"Another shortcoming of the report is that it buries the importance of executive leadership and management support in the middle of the analysis. That has to be a starting point and a tone-setter for the entire firm."
The updated report goes into greater depth and detail than the 2015 report. Finra describes more than 30 specific practices for branch controls that cover written supervisory procedures, asset inventories, technical controls and branch review programs.
Mark Brown, president of cybersecurity compliance firm Advisor Armor, said firms with a "hub and spoke" structure are of particular interest to Finra and the Securities and Exchange Commission, and the additional detail on branch office cybersecurity isn't surprising.
"Finra and [broker/dealers] have been late to this, and registered reps are in a tug a war with who pays for it," Mr. Brown said in an email. "But in the end, the right controls, evidence and auditing of cybersecurity need to be in place."
Finra also highlights how firms can detect phishing attacks, even if they appear to come from trusted sources.
The report includes an appendix covering core cybersecurity controls for small firms, which, in addition to the "Small Firm Cybersecurity Checklist," can help smaller businesses identify possible cybersecurity controls.
"There is no 'one-size-fits-all' approach to cybersecurity, so Finra has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business," said Steven Polansky, senior director of member supervision in Finra's Washington office.
Shan Dagli, head of intermediary solutions at Envision, an IT provider, suspects the increased guidance means Finra's 2018 exams revealed a wide disparity in what firms were doing from a cybersecurity standpoint.
"So Finra is taking it upon themselves to provide more guidance," Mr. Dagli said. "With increased guidance, it could lead to more scrutiny. Or it could simply be a manner of wanting to provide clearer guidance/best practices.