Financial firms have been prime targets for network and data attacks. A recent U.S. Financial Industry Regulatory Authority (FINRA) report (PDF) describes how securities firms such as broker-dealers are protecting themselves from cyberrisks and provides recommendations for improving their security measures.
"Broker-deals face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program," says Susan Axelrod, executive vice president for regulatory operations at the independent regulator.
The Report on Cybersecurity Practices is based on a 2014 examination of U.S. securities firms and a 2011 survey of 224 firms. FINRA's research reveals that the top three threats broker-dealers face are hackers penetrating their systems, insiders compromising firm or client data, and operational risks. To help firms mitigate these threats, the report provides observations and guidance in eight areas.
The FINRA report recommends that firms implement an information security governance framework to help identify risks, determine their severity, and support decisions on managing them based on the organization's risk appetite. The framework should encompass policies, processes, structures, and relevant controls.
An organization's framework should emphasize management and board involvement in cybersecurity issues, FINRA advises. Insufficient involvement can make organizations more vulnerable to data and network breaches, as well as regulatory risks such as being cited under the U.S. Securities and Exchange Commission's "Red Flags Rule."
Beyond the board and top management, the framework also should incorporate views from business units, IT, risk management, and internal audit, the report states. Internal audit should assess the implementation and effectiveness of the cybersecurity program, especially its controls and processes.
The FINRA report recommends organizations perform risk assessments regularly to identify information security risks associated with their assets and vendors. The first step should be creating an asset inventory to identify the assets the organization has and their importance for protection.
Next, FINRA recommends that organizations maintain a risk assessment program to identify asset vulnerabilities, review threat and vulnerability information, document internal and external threats, determine their potential impact and likelihood, and come up with risk responses. In the agency's 2014 sweep of securities firms, more than 80 percent of firms had such programs, with many drawing on ISACA's COBIT or the ISO/IEC 27001 framework. Firms typically viewed these risk assessments as part of the organization's broader risk management process.
The report advises organizations to implement technical controls to protect their data, as well as the hardware and software on which it is stored and processed. Key to this is a defense-in-depth strategy that applies multiple layers of security controls throughout an IT infrastructure. These layers include users, application, network and physical perimeter, server, database, and data and asset.
One of the most important controls that need to be in place is identity and access management, especially now that organizations are allowing customers and vendors access to systems, as well as access through mobile devices. Other important controls are encryption and third-party penetration testing.
Incident Response Planning
With security breaches becoming more common, organizations need policies and procedures for responding to incidents, the FINRA report advises. Response plans should detail the roles and responsibilities of individuals in the event of an incident. Some organizations have dedicated computer security incident response teams for such situations, the report notes.
Response plans should prepare for incidents that organizations are most likely to encounter, including compromises of customer personal data, data corruption, denial-of-service attacks, network intrusions, and malware. Moreover, plans should spell out the organization's strategy for containing or mitigating various types of incidents, recovery plans for systems and data, processes for investigating and assessing damage, and communication.
The growing use of third-party vendors raises information security risks throughout the relationship's life cycle that some organizations may not be addressing. According to The New York Times, nearly one-third of banks surveyed by the New York Department of Financial Services don't require such vendors to inform them of information security breaches, and less than half perform on-site assessments of vendors.
The FINRA report recommends organizations manage vendor risks by performing due diligence on both prospective and existing service providers, and ensuring that contract terms are appropriate given the sensitivity of systems and data to which vendors may have access. Moreover, it advises organizations to make vendor relationships part of the organization's ongoing risk assessment and to have procedures for terminating vendor access at the end of the contract.
To address employee risk, organizations need to train personnel about information security risks, the report says. In FINRA's reviews, 95 percent of securities firms provided mandatory cybersecurity training to employees at least annually, which usually consisted of awareness training for all staff and targeted training for specific staff members. FINRA recommends organizations update training often to reflect changing threats.
Cyber Intelligence and Information Sharing
The report advises organizations to gather intelligence information about cybersecurity threats to better detect and respond to them. Organizations should assign someone responsibility for collecting and analyzing threat information and have ways to communicate that information to appropriate groups.
One source of intelligence is through an information sharing and analysis center (ISAC), such as the financial services industry's FS-ISAC. In its sweeps, FINRA found that 72 percent of securities firms shared information through FS-ISAC, while half shared it with the U.S. Computer Emergency Readiness Team. Additionally, many large firms have established in-house threat intelligence centers.
Finally, many firms reviewed by FINRA have turned to cyber insurance to transfer some of the risk or to obtain coverage for gaps that aren't addressed in their existing insurance policies. That may accelerate this year, as Lloyds of London reports there has been a 90 percent increase in cyber insurance applications in just the first quarter of 2015 compared to last year.
FINRA recommends organizations that need coverage evaluate how insurance plans would enhance their ability to manage the financial impact of a security incident. Organizations that already have cyber insurance should assess the adequacy of their coverage in light of their risk assessment.