18 Jul Is Your Firm Cyber Compliant?
What would you do if you came across an imposter website of your firm’s actual site? Recently, several member firms notified FINRA that they’ve been victims of imposter websites with malicious intent. These copycat sites are designed to obtain sensitive data and potentially commit financial fraud. In some cases, email domains are created to correspond to the imposter site making it seem legitimate. Who would know otherwise?
With looming cybersecurity threats like this, it is imperative that your firm be proactive in safeguarding you and your client’s data. Finding imposter websites is just the latest example of broker-dealers’ and RIAs’ struggle to keep up with the constantly changing cybersecurity landscape. As firms become more versed in their preventative tactics, hackers and others seeking to gain from the security vulnerabilities of financial firms devise new and more complex methods of accomplishing their objectives. It is crucial to always be aware of new cyber threats, no cybersecurity program is fool-proof, regardless of the size or status of your firm. To avoid becoming the next cyber casualty, FINRA and the SEC have provided guidance to help mitigate your risk.
Complying with FINRA’s cybersecurity policies can help safeguard your firm’s sensitive data. If your firm has multiple branch offices, it is important to implement procedures at the branch level that meet the same security standards set by the home office. It is often said that a team, or in this case your firm, is only as strong as its weakest link. Even though centralized operations do not occur at branch offices, they are just as vulnerable for a cyber-attack as the home office.
Furthermore, establishing Written Supervisory Procedures (WSPs) to define cybersecurity controls can help protect your firm from a potential security breach. Keep in mind, WSPs must be updated regularly to keep up with new and changing threats. FINRA’s guidance helps broker-dealers, large and small, develop their cybersecurity program in the following areas:
- Branch controls: branch-level WSPs, asset inventory, technical controls, branch review program
- Identifying and migrating insider threats
- Limiting phishing attacks
- Implementing penetration testing
- Maintaining controls on mobile devices
Registered Investment Advisors (RIAs):
As cyber threats evolve, the SEC continually increases security expectations that RIAs must meet in order to continue operating. While there are certain security procedures your RIA might already be implementing, it is crucial to be educated about governmental policies, as well as the ever-changing cybersecurity landscape. There are cyber protocols you should follow and others you should avoid when increasing internal security:
- Train staff to recognize and report suspicious emails
- Install a network firewall and antivirus software on all used devices
- Enforce security procedures to prevent attacks
- Create an incident response plan
- Employ two-factor authentication if possible as an extra layer of security
While some of these steps may seem obvious, RIAs suffer from not taking these steps seriously and failing to acknowledge the very real likelihood of a cyber-attack. Do not let your firm fall into this pattern.
Mergers and Acquisitions:
If your firm is going through a merger or acquisition, it is imperative that cybersecurity due diligence is established prior to integrating systems to ensure there are no bugs and immediately after systems have been integrated so there are no gaps. Transactions like these pose certain vulnerabilities that must be understood completely by your firm and all involved parties.
Regardless of whether your firm is a broker-dealer or an RIA, there are certain actions your firm can take to increase security. As mentioned before, multifactor authentication, antivirus software and firewalls are some preventative measures that could have a substantial impact on the extent to which your network is secure. Other practices include:
- Consistently backing up data
- Ensuring your systems are protected by strong passwords and changed on a regular basis
- Holding employees accountable through signed documents indicating their awareness of your firm’s security protocols
- Considering mobile devices such as smart watches when drafting your compliance program
- Vendor management due diligence
- Incident response plan
- Training for all employees and contractors
- Access rights and controls
Firms should avoid:
- Emailing confidential information to clients
- Permitting staff to access information while abroad
- Accepting wiring instructions through email (A secure approach is to confirm wire requests verbally, and RIAs should properly educate their clients on this process.)
Implementing these practices within your firm will help safeguard your network. However, ongoing monitoring and testing is a must to be proactive and combat threatening cyber-attacks.
We Have a Solution for You!
Protection from a cyber breach is within your reach, leverage the power of SDDco Cyber for your firm’s cybersecurity compliance program! Our experienced consultants are dedicated and prepared to review your current security protocols and to implement new policies to ensure you are protected.
- Become compliant with all state and federal requirements including FINRA, NYDFS, SEC, etc.
- Infrastructure Testing including Penetration Testing
- Customized and Tested Policies and Procedures
- Fully Managed Incident Response Coverage
- Data Security Training
- Vendor Due Diligence
- Risk Assessments
Read more about imposter website threats below: