Cybersecurity News Alert December 2018:

On December 20th, the Financial Industry Regulatory Authority (FINRA) released a report detailing the effective cybersecurity practices and common risks observed during recent examinations. The report focused on the following key areas:

  1. Branch Controls
  2. Phishing Attacks
  3. Insider Threats
  4. Penetration Testing
  5. Mobile Device Security

Branch Controls: Maintaining rigorous cybersecurity controls is a firm’s best defense against attacks and human error. Establishing policies, controls, and an overall cybersecurity program promotes firm cybersecurity awareness and fosters a “security-first” environment. In this section FINRA reviews:

Cybersecurity News Alert December 2018:

  • Policies and Procedures (Information Security Policy, Incident Response Plan, etc.)
  • Asset Inventory
  • Third-Party Risk Management
  • Technical Controls (Encryption, Strong Passwords, etc.)
  • Patch Maintenance

Phishing Attacks: Phishing is one of the most common threats to firms. This section details specific types of phishing (“spear-phishing” and whaling”) as well as controls that FINRA recommends firms should implement in order to combat phishing attacks. In this section FINRA reviews:

  • Email and Browser Protection
  • Network Security
  • Risk Assessments
  • Endpoint Malware Protection

Insider Threats: Insider threats remain a major cybersecurity concern for firms. Bad actors who had or may still have authorized access to the firm’s network represent a very present and capable threat to the firm’s network security. Among other methods detailed by FINRA, regularly reviewing access rights is imperative to combating insider threats. In this section FINRA reviews:

  • Identity and Access Management (Access Rights and Controls)
  • Secure System Configuration
  • Data Protection (Encryption, Backup Retention, etc.)
  • Security Awareness Training

Penetration Testing: Penetration testing and vulnerability scanning are an important part of a firm’s cybersecurity program. Testing and scanning the firm’s network allows the firm to identify specific deficiencies and target areas for improvement. In this section FINRA reviews:

  • Vulnerability Scanning
  • Selecting Security Vendors/Due Diligence

Mobile Device Security: Mobile devices are a part of everyday life and, in many cases, essential to a firm’s business and workflow. However, with increased mobility comes increased risk as mobile devices are particularly susceptible to risks like spam, spoofed calls and emails, viruses, etc. Implementing mobile device security controls and establishing a “security-first” approach to mobile device use is essential to mobile device security. In this section FINRA reviews:

  • MDM
  • Remote wipe
  • Password requirements
  • Security software on devices

For additional information, please visit: