Since FINRA began publishing its annual examination priorities letter in 2006, each year cybersecurity and the protection of customer information have been identified as a top priority. The 2021 Report on FINRA’s Examination and Risk Monitoring Programs is no exception. As evidence of its concerns about cybersecurity risk, FINRA has hired a number of individuals into its examination program that have an extensive background in technology and information security.
You can expect informed, deep dive reviews of your cybersecurity programs during examinations.
Cybersecurity Reports and the NIST Framework
FINRA issued two cybersecurity reports in the last decade, an initial report in 2015 and a Report on Selected Cybersecurity Practices in 2018. In these reports FINRA stated that an effective practice is for firms to evaluate relevant industry frameworks and standards as reference points in developing their approach to cybersecurity. In fact, FINRA bases much of its assessment criteria on the framework developed by the National Institute of Standards and Technology, or the “NIST” framework.
FINRA stated that the NIST framework “provides a thorough, yet flexible risk-based approach for understanding where an organization stands in terms of its cybersecurity activities and where it would like to be to ensure that it is able to achieve its cybersecurity risk management priorities as defined by organizational goals, legal and regulatory requirements, and industry best practices.” This “helps reframe cybersecurity issues in risk management terms that may be more understandable for decision-makers”. Firms should consult well-known industry frameworks such as the one provided by NIST when developing and testing their cybersecurity programs.
Considerations and Effective Practices
In its 2021 letter, FINRA identified a number of considerations and effective practices it would like to see included in firm programs. These considerations and practices layout practical steps firms can take to develop, implement and test cybersecurity controls that are consistent with each firm’s risk profile, business model and scope of operations.
Governance. One area highlighted for consideration is whether a firm has a robust governance structure designed to effectively identify and respond to cyber risks. This includes defining the firm’s risk appetite, creating a framework for decision making, developing metrics for assessing the program’s effectiveness and determining the level of resources necessary to carry out the program’s functions.
Data Loss Prevention Controls. Data loss prevention controls include encryption, access management, authentication, monitoring, testing and patch management. FINRA is not only concerned about the development of firm-level policies and controls, but the implementation of those controls at the branch level. You can expect this to be an area of review during branch examinations.
Other considerations identified including training, controls around system changes and testing systems before moving into a production environment.
Effective practices. Effective practices identified include taking a collaborative approach across departments and disciplines in assessing risk areas, managing access controls and investigating potential red flags. They have also identified incident response planning as an effective practice. This includes conducting threat assessments, containment and mitigation strategies, stakeholder outreach and eradication and recovery plans. Vendor due diligence, technology change management processes, and a defined software development cycle are also identified as effective practices, as are system patching and creating an inventory of critical information, technology assets and corresponding cybersecurity controls.
It is critical that firms have a process in place to assess their cybersecurity risk and controls and to take steps to strengthen controls if gaps are identified. Oyster Consulting can partner with you to help bridge the gap between business and technology, ensuring that you have the controls in place to protect you and your clients from the threats of today’s world. Oyster bases its assessment practices on the NIST framework: identify, detect, protect, respond, recover. For more information about how Oyster can help you assess your cybersecurity program and identify opportunities to strengthen controls around this critical area, click here or call (804) 965-5400.