CyberSecurity - Review of FINRA 2015 Report

a look into FINRA Cybersecurity Practices Report - February 2015

RND Resources, Inc. Phone (818) 657-0288

Compliance Accounting Registration www.finracompliance.com

RND Resources Inc., affiliates, and staff, are not associated with the financial industry regulatory authority (FINRA). Nothing contained herein is intended to describe any such association.

February 2015:

FINRA Report Released:

Cyber-Security Practices Feed

Forward Feed Back



Top Threats Identified by Financial Firms

Hackers penetrating firm systems Insiders compromising firm or client data Operational risks

Threats vary by firm and business model

1) Online Brokerages rank hackers as top risk

2) Firms with algorithmic trading rank insider risks highest

3) Large investment banks rank hacktivist groups highest

Large Banks

Online

Brokerage

Proprietary

Trading



Governance

Risk

Management

Risk

Assessment

Technical

Control

Incident

Response

Plan

Staff

Training

Vendor

Management

Information

Sharing

Cyber

Insurance

FINRA Principles and Effective Practices

A framework that supports informed decision making

and escalation within the organization

define policies, processes, structures, controls

tailored to cybersecurity risks



FINRA Case Study Cyber-related Enforcement Action

Hackers used an SQL injection attack on a firms database server obtaining confidential information of over 200,000 customers

The firm became aware of the breach when hackers attempted to extort money from the firm. Although, the breaches were visible on the firms web server logs.

Further, the firm stored the customer data on a computer with an internet connection and did not encrypt the information

FINRA cited the firm for several governance failures.



FINRA Case Study Cyber-related Enforcement Action (cont)

FINRA cited governance failure in with regards to:

Failure to implement adequate safeguards

Storing un-encrypted customer data

Weak password

Failure to test safeguards of sensitive data

Failure to review web logs

FINRA also cited: Failure to respond to an earlier auditor recommendation for

intrusion detection system. No written Information Security procedures in place

designed to protect customer data.



FINRA Case Study Risks & Opportunities in Cloud Computing

FINRA recognizes that many firms today contract with vendors for cloud-based services. Cloud computing presents 2 unique challenges to firms with regards to cyber security efforts. 1) Cloud services offer substantial technology advantages with minimal

involvement from IT departments. However, IT has in the past been able to vet processes and ensure sound cyber security practices are in place.

2) Outsourced IT and cloud based systems blur the boundary between firm and non-firm systems, making it hard for firms to maintain control over their technology environment.



FINRA Case Study Risks & Opportunities in Cloud Computing (cont)

Key security considerations for cloud-based services

1) What controls and authentication processes are used to access the cloud

vendor portal

2) Controls the cloud vendor has to prevent hacking of their system

3) What is the shared access of the system - ie; many firms may be using the

same system and computing resource

4) What testing procedures are in place to identify potential threats

5) What is the development life cycle process & procedure for updates

6) Who has physical access to the vendors data center



FINRA report: Cyber-security is a key risk the broker-dealer industry faces today and that will likely grow in importance in the coming years.

Risk assessments help firms identify and prioritize steps to undertake. Information sharing helps firms understand the types of threats out there and mitigation measures.

SQL Injection Malware Phishing Hijacked Devices Persistent Threats Website Hack Denial of Service Insider Threat Hactivists





Consulting Investment Firms since 1984

Compliance Accounting Registration Cybersecurity Expert Witness & Litigation Support

RND Resources Inc., affiliates, and staff, are not associated with the financial industry regulatory authority (FINRA). Nothing contained herein is intended to describe any such association.

RND RESOURCES, INC. Securities Brokerage Professionals 21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367 www.finracompliance.com

Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299

CyberSecurity Standards for Investment Firms

A look into FINRA CyberSecurity Practices Report Released February 2015

1) RND Resources presents an overview of the FINRA Report on Cyber Security

Practices released February 2015. RND Resources Inc is an Investment and Brokerage consulting and services firm providing services in Compliance, Accounting and Registration for Broker-Dealers, RIAs, Hedge Funds, & Family Offices. RND Resources is not associated with FINRA. Nothing contained in this presentation is intended to describe such association.

2) The February 2015 FINRA report was released in response to FINRA cyber-

security sweeps implemented in January 2014. The 45 page report gives an overview of the Cyber Security landscape, presents case studies where cyber-security and sensitive data has been compromised, and outlines standards for firms to implement sound cyber-security governance.

3) Cybersecurity threats to broker-dealers and investment advisers are

persistent across many types of electronic digital media. Computers, mobile technology, telephony equipment, and wi-fi access can all present hackers and cyber criminals with access to sensitive company data. Additionally, threats can occur from insiders with access to systems and passwords.

4) Cyber threats vary by size of firm and business model. FINRA surveyed firms

to understand top threats. While top threats were identified, the level of priority of threat types varied by firm. For instance, large investment firms see a greater threat from hacktivist groups creating operational issues, while online brokerages rank hackers stealing customer data as their highest threat. Further, firms with proprietary trading algorithms cited risks from insiders compromising firm or client data as most prominent.


Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299

Cont.

5) In response to their findings, FINRA released standards for brokerage and investment firms to implement as a means to protect customer and firm data from threats and attacks. FINRA created a summary of effective principals and practices leading to a sound cyber-security program. Brokerage and Investment firms need to analyze their proficiency in these key areas to ensure data is secure at all times. The key areas include: Governance and Risk Management, Risk Assessment, Technical Control, Incident Response Plan, Vendor Management, Staff Training, Information Sharing Practices, Cyber Insurance.

6) FINRA has cited, sanctioned, and fined firms with weak cyber-security

infrastructures. The report presents case study examples of errors on the part of the firm to protect customer and company data. Hackers use sophisticated methods to breach company records. Firms must stay on top of security measures to ensure they are protected against common and not so common threats.

7) In some cases there are simple measures that firms can implement to prevent

cyber attacks. Restricting access and use of administrative level passwords, using strong passwords and frequently changing them, and maintaining virus software are common practices. Firms must also implement strong prevention tactics such as regular review of web logs for attempted breaches, testing systems against breach, and using separate storage devices for customer data.

8) Firms must also recognize that risks are not entirely within their own control.

Some risks come from outsourced services and cloud based computing systems. Brokerage firms have less control over security of cloud based systems and must review procedures and security measures of their vendors to ensure protection standards are implemented at the level that securities brokerages are required to maintain.


Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299

Cont. 9) FINRA reported several key concerns with cloud based computing and

outsourced vendor services. Investment and Securities firms must exercise due diligence in who they do business with and what the capabilities are. Firms should interview vendor companies to identify which secure measures are in place and to ensure they are compliant with investment firm standards.

10) Cyber security is a growing risk to broker-dealers, investment advisers, hedge-

fund managers, and family practices. RND Resources is actively engaged in reviewing Investment firms and practices cyber security programs, and making recommendations and establishing procedural standards. It is important for firms to have their cyber security strategy assessed for its ability to prevent attacks and quickly recover if one happens. Some states have specific laws with regards to disclosure of cyber attacks. Firms must maintain standards compliant with their local and state laws as well regulatory standards.

11) RND Resources, Inc is leading securities and brokerage professionals to

successfully implement compliance with FINRA and SEC standards. We are experts at helping firms reach their compliance goals. Our company is a member of ISACA Information Systems Audit and Control Association which serves to keep members informed of threats in the IT landscape and focuses on IT governance. RND is also a member of NSCP the National Society of Compliance Professionals. Contact us for information about how we can help your firm protect itself from attack and meet regulatory standards. Phone (818) 657-0288 or visit our website at www.finracompliance.com

Date post:	15-Nov-2015
Category:	Documents
Upload:	rnd-resources-inc
View:	14 times
Download:	0 times

CyberSecurity - Review of FINRA 2015 Report

Documents