On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA).

FINRA identified five elements of an effective risk-based insider threat program. They discuss: (1) executive and management support of the program; (2) access management policies and procedures; (3) technological controls, including security information and event management (SIEM) and data loss prevention (DLP) tools, scaled to the scope and technological complexity of the firm; (4) training; and (5) controls to identify potentially unusual user behavior in the firm’s network. FINRA also notes that undertaking a comprehensive asset inventory is also an important element of an effective program.

We want to highlight several of the key areas and effective practices identified in the Report. We encourage a full read of the Report for leadership and those responsible for designing and implementing cybersecurity programs to benefit from best practices adopted by firms to address insider threats.

We have also provided additional information from the SEC’s August 2017 Risk Alert: Observations from Cybersecurity Examinations (“OCIE Risk Alert: Observations from Cybersecurity Examinations”) and FINRA disciplinary actions in this area, both of which offer further support for FINRA’s findings.[1]

Executive and Management Support

Simply put – “tone at the top” matters in order for a firm’s insider threat controls to be effective. FINRA identifies a number of effective management practices that leaders may implement to strengthen their firm’s program. First and most importantly, executive and senior management must demonstrate their own commitment to comply with the firm’s cybersecurity policies and procedures. Executive leadership also mitigates the risk of insider threats by, among other things, ensuring there are consequences for policy violations, regardless of the individual’s position, establishing appropriate escalation processes when issues arise, and ensuring processes are in place to timely change access to confidential information when an employee resigns, is terminated, or moves to a new department or position.

The SEC’s 2017 Risk Alert also noted the importance an “engaged senior management” to ensure a robust cybersecurity program.[2]

Identity Access Management and User Entitlements and Heightened Controls for Privileged Users

In the Report, FINRA highlights the importance of effective identity access management (IAS) and user entitlement processes, which “serve as a first line of defense” at the firm. FINRA identifies a number of best practices, including:

• Establishing and implementing written supervisory procedures that manage the full lifecycle of system access – from onboarding, department/function transfers, and terminations/resignations;
• Conducting periodic review of user entitlements;
• Implementing comprehensive password controls – requiring complex passwords, periodic changes, and lockouts with multiple unsuccessful login attempts.
• Implementing processes that link access to automated HR systems so that access can updated or terminated immediately when roles change.   

The SEC also highlighted the importance of effective access rights for an effective cybersecurity program, including tracking requests for changes and modification of rights as functions and employee status changes.[3]

We also note that a number of FINRA enforcement actions have been based on a firm’s failure to timely terminate access when an associated person was terminated.[4]

Data Loss Prevention (DLP)

Another insider threat observed by FINRA, which may be mitigated by a robust DLP program, is the inadvertent or malicious transmission of sensitive customer or firm information. DLP programs identify sensitive customer and firm information and implement controls to prevent inappropriate transmission of the information. FINRA identifies eight best practices they observed, including:

• Implementing a formal DLP program and Written Supervisory Procedures (WSPs) addressing control of information and preventing potential data breaches;
• Requiring user verification prior to sending emails outside the firm;
• Establishing DLP rules to identify and block or encrypt transfer of certain data, including personal confidential information;
• Restricting data downloads to external drives or devices, including USB, CD drives, and other mobile devices; and
• Implementing controls around employees, associated persons, or vendors using personal computers for work, including use of multi-factor authentication or virtual private networks to secure access to firm information.

FINRA has also sanctioned firms that did not adequately protect customer information, including failing to have adequate supervisory systems to protect customer and firm information maintained on unencrypted laptops.[5]

Training

FINRA highlights the importance of training to mitigate insider threats. Further, training is not a “one and done” thing, but, rather, should be conducted on a periodic basis to be effective.

FINRA notes that areas of training that help firms avoid inadvertent data breaches include:

• Handling of customer requests for user name and password changes, money transfers, and identify verification;
• Risks with opening email attachments or links; and
• Illustrating examples of hacker techniques.

The SEC noted in their Risk Alert that some firms, while they had training programs, failed on the implementation side by not ensuring the all employees took the training or by taking action when training was not completed.[6] The SEC then emphasized the importance of a mandatory training program and the need to ensure training occurs at onboarding and periodically thereafter.[7]

Conclusion

FINRA’s observations regarding elements of an effective insider threat programs provide important and timely observations to assist firms in mitigating such risks. We encourage a full read of the Report for executive leadership and those responsible for designing and implementing cybersecurity programs to effectively guard against insider threats, whether inadvertent or intentional conduct. The recommendations are comprehensive and can be tailored to the risks inherent in each firm’s business model.

[1] SEC National Exam Program Risk Alert, Observations from Cybersecurity Examinations, Vol. VI, Issue 5 (Aug. 7, 2017).

[2] OCIE Risk Alert: Observations from Cybersecurity Examinations, at 5.

[3] OCIE Risk Alert: Observations from Cybersecurity Examinations, at 5.

[4] Ameriprise Financial Services, Inc. et al., (AWC 20100251730), March 1, 2013. In Ameriprise Financial Services, Inc., FINRA found that AFSI failed to block computer access in a timely manner for 100 of 200 representatives terminated during the review period. FINRA also found that five of the representatives accessed the systems containing customer personal confidential information. See also, Innovation Partners, LLC (Complaint 2016050957901) (Nov. 26, 2018) (FINRA alleged that, after a representative was terminated, the Firm did not disable his access to the Firm’s email server or his ability to send and receive emails from his Firm email address).

[5] See, Sterne, Agee & Leach, Inc. (AWC 2014041619501) (May 22, 2015).

[6] OCIE Risk Alert: Observations from Cybersecurity Examinations, at 4.

[7] OCIE Risk Alert: Observations from Cybersecurity Examinations, at 5.