What is this whole CyberSecurity Audit anyhow? In short, it’s a VERY important topic that needs attention immediately. A cybersecurity audit is an evaluation of how well you protect important information. This includes knowing what you have, who has access to it, how it's protected.
Cybersecurity is one of the principal operational risks facing broker-dealers. Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA.
FINRA is conducting audits of Broker-Dealers and financial advisory firms. They’ve observed myriad areas some firms need to improve their cybersecurity programs against wide threat landscape. If you don’t have a cybersecurity program, you need to create one and abide by it. The liabilities are significant if you don’t.
Here is a short list of some of the findings FINRA has observed during 2017:
Access Management: Basic identity and access management (process for adding, deleting, controlling, auditing and reporting) Risk Assessment: No formal ongoing process to assess risks - or never having completed an assessment - and could not identify their critical assets Vendor Management: No formal processes to determine a vendor’s cybersecurity preparedness. Responsibility cannot be outsourced. A vendor has to protect data just the same way a Broker-Dealer is required. Data Loss Prevention: Also known as DLP, FINRA observed the need to improve protections in all sizes organizations, even though many larger and medium sized companies implemented DLP in some regard. Specific improvements are needed around securing all PII (personally identifiable information, i.e. SSN, account numbers, etc.)
This by no means is a conclusive list, it is just some of the top FINRA observations during 2017. It all comes down to following industry Best Standards for cybersecurity. Many organization, especially smaller Financial Advisor firms need help. Don't be afraid to ask.
Watch for another post regarding the threat landscape for financial advisory and broker dealers as well as commons issues that come up.
You are welcome to reach out to TCA if you have questions or need help in your organization.