It has become increasingly important for financial institutions to adopt robust security measures to safeguard their client’s assets and personal data. To address this challenge, FINDA has established a comprehensive set of rules to enhance its member firms’ cybersecurity posture.
However, there isn’t a set-in-stone framework for specific security measures. Instead, FINRA consists of obligations and guidance on how to address those obligations.
This article will delve into the various aspects of cybersecurity related to FINRA. By understanding the importance of cybersecurity within the context of FINRA’s regulatory framework, financial institutions can better protect their clients, mitigate risks, and contribute to a more secure and resilient financial system.
What Is the Financial Industry Regulatory Authority (FINRA)?
The Financial Industry Regulatory Authority is a non-governmental organization in the U.S. that oversees brokerage firms and representatives. It aims to protect investors by ensuring the securities industry operates fairly and honestly.
FINRA cybersecurity refers to the policies, guidelines, and best practices established by FINRA to help member firms protect their information systems and customer data from cyber threats. These guidelines focus on risk management, data protection, and technology controls that firms must implement to prevent, detect, and respond to cybersecurity threats.
FINRA and Governance Rules
While FINRA will need expert organizations to address specific security issues around the threats listed, there isn’t a particular standard of compliance in place. Instead, several regulatory obligations exist that are managed and enforced by FINRA through their relationship with the Securities Exchange Commission (SEC).
Note that these requirements play a role in security but touch on other significant areas like fighting fraud, money laundering, and terrorism.
These obligations are split into different rules. Some of FINRA rules that are notable for security include:
- FINRA Rule 2090 (Know Your Customer): FINRA Rule 2090, also known as the “Know Your Customer” (KYC) Rule, covers the requirement for member firms to use reasonable diligence in learning and understanding essential facts about their customers. This rule aims to ensure that firms comprehensively understand their customer’s financial situation, investment objectives, and risk tolerance to provide suitable recommendations and services. Additionally, institutions are required to have identity verification methods in place to ensure the individual is who they say they are.
- FINRA Rule 3110 (Supervision): This rule outlines member firms’ supervisory responsibilities and requirements. It mandates that firms establish and maintain a system to supervise the activities of their registered representatives, including written procedures, designated principles for supervision, and regular internal inspections. Accordingly, the information gained during this monitoring must remain private and secure.
- FINRA Rule 3310 (Anti-Money Laundering Compliance Program): FINRA Rule 3310 establishes a firms’ Anti-Money Laundering (AML) Compliance Program requirements. The rule aims to prevent money laundering, terrorist financing, and other illicit activities by requiring firms to develop and implement AML policies, procedures, and internal controls.
- FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information): FINRA Rule 4370 is the rule that requires member firms to establish and maintain a written Business Continuity Plan (BCP). This rule aims to ensure that firms are prepared to continue their operations and meet their obligations to customers during an emergency or significant business disruption, such as a natural disaster, terrorist attack, or widespread technology failure.
- FINRA Rule 4511 (General Requirements): FINRA Rule 4511 pertains to the general recordkeeping requirements for member firms. It mandates that firms create and maintain records following the rules set forth by the Securities and Exchange Commission (SEC) and other applicable laws and regulations.
Additionally, the processes that fall under these requirements will subsequently fall under Rule 30 of SEC Regulation S-P, also known as the Safeguards Rule, which requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures designed to protect their customers’ nonpublic personal information.
These rules touch on important cybersecurity obligations–authentication and identity management, data protection, encryption, mitigation, and recovery, etc.
While FINRA doesn’t define a specific framework of security for firms that guides them in addressing these issues, it does define a select list of governance considerations that firms should understand.
These considerations include:
- What are the processes in place to continuously monitor risk?
- What are the related governance policies for these processes?
- How does a firm handle Data Loss Prevention (DLP)?
- What controls are in place to support logging and auditing?
- Does the firm undergo regular penetration tests, and if so, what kinds?
- How does the firm address phishing, both in terms of individuals and in terms of false websites?
- How does the firm monitor and halt fraudulent activity?
- How does a firm securely verify a user’s identity for AML and KYC requirements?
Additionally, it also outlines a significant set of attacks that brokers should be aware of and prepared to address. These include:
- Phishing: Phishing attacks are the primary way that hackers can gain access to a user’s account and, without warning, conduct extensive and ongoing financial fraud.
- Ransomware: Ransomware is malware that encrypts a victim’s data and demands payment, typically cryptocurrency, to restore access to encrypted files. The rise of ransomware has led to financial institutions looking for ways to empower backup and recovery systems.
- Advanced Persistent Threats (APTs): APTs are sophisticated, long-term attacks by well-resourced threat actors who target specific organizations or industries to steal valuable data, disrupt operations, or achieve other malicious objectives. Modern APTs are some of the most prominent and dangerous cyber threats in the world
- Distributed Denial of Service (DDoS): A DDoS attack occurs when multiple systems flood a targeted server, website, or network with a high traffic volume, causing it to become overwhelmed and unavailable to legitimate users. While not as common as other forms of fraud, a coordinated DDoS attack can cripple the digital services of a firm.
- Insider Threats: Insider threats are security risks within an organization, typically from employees, contractors, or other individuals with authorized access to sensitive information or systems. Because insider threats are so insidious, it’s crucial for brokers to have authentication, auditing, and identity verification measures in place.
- Customer Account Takeover: Customer account takeover, also known as account hijacking, is a type of cyber attack in which a threat actor gains unauthorized access to a customer’s account, typically by obtaining the user’s login credentials through phishing, social engineering, or other means.
- Firm Account Compromise or Takeover: A firm account compromise refers to a cybersecurity incident in which a threat actor gains unauthorized access to an organization’s or financial institution’s internal accounts, systems, or network. Like a customer account takeover, a firm account compromise can occur when an attacker obtains login credentials or exploits vulnerabilities in the organization’s security infrastructure.
Get Square with FINRA and Cybersecurity with Continuum GRC
If you are a financial institution or brokerage firm, FINRA is non-negotiable. It’s critical that you have a solution that can help you manage and keep up with compliance obligations. Continuum GRC does this, with a risk- and compliance-focused solution that also includes modules for the FINRA SEC Cybersecurity Report Card and Small Firm Cybersecurity Checklist.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.