cybersecurity - review of finra 2015 report
DESCRIPTION
Cybersecurity threats to broker-dealers and investment advisers are persistent across many types of electronic digital media. Cyber threats also vary by size of firm and business model. Brokerage and Investment firms need to analyze their proficiency in key areas to ensure data is secure at all times. FINRA has cited, sanctioned, and fined firms with weak cyber-security infrastructures. Presentation by RND Resources, Inc, www.finracompliance.com RND is a full service compliance, registration, and accounting resource to investment and brokerage firms.TRANSCRIPT
-
a look into FINRA Cybersecurity Practices Report - February 2015
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
RND Resources Inc., affiliates, and staff, are not associated with the financial industry regulatory authority (FINRA). Nothing contained herein is intended to describe any such association.
-
February 2015:
FINRA Report Released:
Cyber-Security Practices Feed
Forward Feed Back
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
Top Threats Identified by Financial Firms
Hackers penetrating firm systems Insiders compromising firm or client data Operational risks
Threats vary by firm and business model
1) Online Brokerages rank hackers as top risk
2) Firms with algorithmic trading rank insider risks highest
3) Large investment banks rank hacktivist groups highest
Large Banks
Online
Brokerage
Proprietary
Trading
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
Governance
Risk
Management
Risk
Assessment
Technical
Control
Incident
Response
Plan
Staff
Training
Vendor
Management
Information
Sharing
Cyber
Insurance
FINRA Principles and Effective Practices
A framework that supports informed decision making
and escalation within the organization
define policies, processes, structures, controls
tailored to cybersecurity risks
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
FINRA Case Study Cyber-related Enforcement Action
Hackers used an SQL injection attack on a firms database server obtaining confidential information of over 200,000 customers
The firm became aware of the breach when hackers attempted to extort money from the firm. Although, the breaches were visible on the firms web server logs.
Further, the firm stored the customer data on a computer with an internet connection and did not encrypt the information
FINRA cited the firm for several governance failures.
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
FINRA Case Study Cyber-related Enforcement Action (cont)
FINRA cited governance failure in with regards to:
Failure to implement adequate safeguards
Storing un-encrypted customer data
Weak password
Failure to test safeguards of sensitive data
Failure to review web logs
FINRA also cited: Failure to respond to an earlier auditor recommendation for
intrusion detection system. No written Information Security procedures in place
designed to protect customer data.
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
FINRA Case Study Risks & Opportunities in Cloud Computing
FINRA recognizes that many firms today contract with vendors for cloud-based services. Cloud computing presents 2 unique challenges to firms with regards to cyber security efforts. 1) Cloud services offer substantial technology advantages with minimal
involvement from IT departments. However, IT has in the past been able to vet processes and ensure sound cyber security practices are in place.
2) Outsourced IT and cloud based systems blur the boundary between firm and non-firm systems, making it hard for firms to maintain control over their technology environment.
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
FINRA Case Study Risks & Opportunities in Cloud Computing (cont)
Key security considerations for cloud-based services
1) What controls and authentication processes are used to access the cloud
vendor portal
2) Controls the cloud vendor has to prevent hacking of their system
3) What is the shared access of the system - ie; many firms may be using the
same system and computing resource
4) What testing procedures are in place to identify potential threats
5) What is the development life cycle process & procedure for updates
6) Who has physical access to the vendors data center
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
FINRA report: Cyber-security is a key risk the broker-dealer industry faces today and that will likely grow in importance in the coming years.
Risk assessments help firms identify and prioritize steps to undertake. Information sharing helps firms understand the types of threats out there and mitigation measures.
SQL Injection Malware Phishing Hijacked Devices Persistent Threats Website Hack Denial of Service Insider Threat Hactivists
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
-
RND Resources, Inc. Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com
Consulting Investment Firms since 1984
Compliance Accounting Registration Cybersecurity Expert Witness & Litigation Support
RND Resources Inc., affiliates, and staff, are not associated with the financial industry regulatory authority (FINRA). Nothing contained herein is intended to describe any such association.
-
RND RESOURCES, INC. Securities Brokerage Professionals 21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367 www.finracompliance.com
Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299
CyberSecurity Standards for Investment Firms
A look into FINRA CyberSecurity Practices Report Released February 2015
1) RND Resources presents an overview of the FINRA Report on Cyber Security
Practices released February 2015. RND Resources Inc is an Investment and Brokerage consulting and services firm providing services in Compliance, Accounting and Registration for Broker-Dealers, RIAs, Hedge Funds, & Family Offices. RND Resources is not associated with FINRA. Nothing contained in this presentation is intended to describe such association.
2) The February 2015 FINRA report was released in response to FINRA cyber-
security sweeps implemented in January 2014. The 45 page report gives an overview of the Cyber Security landscape, presents case studies where cyber-security and sensitive data has been compromised, and outlines standards for firms to implement sound cyber-security governance.
3) Cybersecurity threats to broker-dealers and investment advisers are
persistent across many types of electronic digital media. Computers, mobile technology, telephony equipment, and wi-fi access can all present hackers and cyber criminals with access to sensitive company data. Additionally, threats can occur from insiders with access to systems and passwords.
4) Cyber threats vary by size of firm and business model. FINRA surveyed firms
to understand top threats. While top threats were identified, the level of priority of threat types varied by firm. For instance, large investment firms see a greater threat from hacktivist groups creating operational issues, while online brokerages rank hackers stealing customer data as their highest threat. Further, firms with proprietary trading algorithms cited risks from insiders compromising firm or client data as most prominent.
-
RND RESOURCES, INC. Securities Brokerage Professionals 21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367 www.finracompliance.com
Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299
Cont.
5) In response to their findings, FINRA released standards for brokerage and investment firms to implement as a means to protect customer and firm data from threats and attacks. FINRA created a summary of effective principals and practices leading to a sound cyber-security program. Brokerage and Investment firms need to analyze their proficiency in these key areas to ensure data is secure at all times. The key areas include: Governance and Risk Management, Risk Assessment, Technical Control, Incident Response Plan, Vendor Management, Staff Training, Information Sharing Practices, Cyber Insurance.
6) FINRA has cited, sanctioned, and fined firms with weak cyber-security
infrastructures. The report presents case study examples of errors on the part of the firm to protect customer and company data. Hackers use sophisticated methods to breach company records. Firms must stay on top of security measures to ensure they are protected against common and not so common threats.
7) In some cases there are simple measures that firms can implement to prevent
cyber attacks. Restricting access and use of administrative level passwords, using strong passwords and frequently changing them, and maintaining virus software are common practices. Firms must also implement strong prevention tactics such as regular review of web logs for attempted breaches, testing systems against breach, and using separate storage devices for customer data.
8) Firms must also recognize that risks are not entirely within their own control.
Some risks come from outsourced services and cloud based computing systems. Brokerage firms have less control over security of cloud based systems and must review procedures and security measures of their vendors to ensure protection standards are implemented at the level that securities brokerages are required to maintain.
-
RND RESOURCES, INC. Securities Brokerage Professionals 21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367 www.finracompliance.com
Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299
Cont. 9) FINRA reported several key concerns with cloud based computing and
outsourced vendor services. Investment and Securities firms must exercise due diligence in who they do business with and what the capabilities are. Firms should interview vendor companies to identify which secure measures are in place and to ensure they are compliant with investment firm standards.
10) Cyber security is a growing risk to broker-dealers, investment advisers, hedge-
fund managers, and family practices. RND Resources is actively engaged in reviewing Investment firms and practices cyber security programs, and making recommendations and establishing procedural standards. It is important for firms to have their cyber security strategy assessed for its ability to prevent attacks and quickly recover if one happens. Some states have specific laws with regards to disclosure of cyber attacks. Firms must maintain standards compliant with their local and state laws as well regulatory standards.
11) RND Resources, Inc is leading securities and brokerage professionals to
successfully implement compliance with FINRA and SEC standards. We are experts at helping firms reach their compliance goals. Our company is a member of ISACA Information Systems Audit and Control Association which serves to keep members informed of threats in the IT landscape and focuses on IT governance. RND is also a member of NSCP the National Society of Compliance Professionals. Contact us for information about how we can help your firm protect itself from attack and meet regulatory standards. Phone (818) 657-0288 or visit our website at www.finracompliance.com