What is FINRA?
FINRA, the Financial Industry Regulatory Authority, is a non-profit self regulatory organization that ensures the integrity of the market, allowing investors and firms to participate with confidence. FINRA is authorized by Congress to protect America’s investors by assuring that the broker-dealer sector functions fairly and ethically.
They ensure that when you invest your money in the market, those brokerage firms are doing what they are supposed to be doing. Compliance, best practices, etc.
FINRA regulates over 4,000 security firms and more than 640,000 brokers ensuring that investors are protected.
FINRA has developed its own set of regulations and policies which brokers and brokerage firms must adhere to. FINRA mandates all brokers to be licensed and registered. FINRA ensures that all brokers have undergone their examinations, have the relevant qualifications, and satisfy continuing education requirements.
There are hundreds of professionally trained financial examiners who investigate FINRA brokers and their business practices. In-depth investigations are performed immediately upon suspicion of infractions against FINRA and SEC rules.
Brokerage firms that ignore FINRA regulations and individual brokers who do not abide by FINRA rules face disciplinary action.
Most FINRA services are not necessarily cybersecurity-based.
However, protecting investors means protecting their data, too. Given the evolving nature, rising frequency, and increasing complexity of cybersecurity attacks – along with the risk of harm to firms, investors, and the markets – cybersecurity best practices are a key focus for FINRA and for all businesses.
Therefore, FINRA has created a Small Firm Cybersecurity Checklist which supports small firms in establishing cybersecurity programs.
The framework also checks if financial institutions’ suppliers have established cybersecurity policies and procedures, as well as proof that these vendors can maintain them.
What are the requirements for FINRA’s Cybersecurity Checklist?
FINRA’s cybersecurity checklist is primarily derived from the NIST CSF and FINRA’s Report on Cybersecurity Practices.
The checklist is in excel format and has two explanatory tabs, followed by 12 sections with each tab containing a different cybersecurity topic, and finally, the summary report.
The first two tabs contain the “Overview” tab and the “Resources” tab:
- The Overview tab discusses the checklist’s purpose and methods, and asks five questions that dictate which of the 12 sections you should complete (most financial services SMBs will need to complete all 12).
- The Resources tab provides informative background links for each of the 12 sections. The links, to sources like FINRA, NIST, AICPA and FFIEC, provide context on why the document asks for the information that it does.
The next 12 sections are as follows:
- Section 1 – Identify and Assess Risks: Inventory
- Section 2 – Identify and Assess Risks: Minimize Use
- Section 3 – Identify and Assess Risks: Third Party Access
- Section 4 – Protect: Information Assets
- Section 5 – Protect: Systems Assets
- Section 6 – Protect: Encryption
- Section 7 – Protect: Employee Devices
- Section 8 – Protect: Controls and Staff Training
- Section 9 – Detect: Penetration Testing
- Section 10 – Detect: Intrusion
- Section 11 – Response Plan
- Section 12 – Recovery
The final tab, the “Summary Report,” aggregates your responses from sections 1-12 and can be utilized to determine your cybersecurity risks, where you may need to allocate budget and resources to mitigate risks, and where you can choose to accept the risk. This report may also be useful in keeping executives and board members updated.
Firms should complete the relevant sections, assess where they are holding through the Summary Report, and mitigate risks and vulnerabilities as needed.
Why should you be FINRA compliant?
FINRA’s Small Firm Cybersecurity Checklist enables small firms to:
- Identify and assess cyber risks
- Protect assets from cyber attacks
- Detect when their systems and assets have been breached
- Prepare for the response when a compromise occurs
- Establish a plan to recover lost, stolen or unavailable assets
FINRA assesses firms’ approaches to cybersecurity risk management through audits of their controls in areas including: risk assessment, data loss prevention, staff training, access management, technology governance, system change management, incident response, branch controls, vendor management and technical controls. Through these assessments, FINRA also evaluates a firm’s capability to maintain the confidentiality, integrity, and availability of sensitive customer information. Completing the checklist ensures that your organization has a robust cybersecurity program in place enabling you to confidently pass FINRA’s evaluation.
One reason you may initially think to ignore this checklist, is that you may believe that your broker-dealer, parent company, or some other entity further up the corporate ladder handles all your cyber risks. This is almost never the case. And it could turn into a serious and costly problem if a data breach results in a lawsuit, and you can’t prove that you had a good cybersecurity plan in place when the compromise occurred.
The FINRA checklist requires more than just checking yes or no on a long list of cybersecurity controls — it takes significant time and effort. This is a good thing.
If you collaborate with your IT staff and/or vendors to complete this document, you’ll have a comprehensive cybersecurity program in place.
Lastly, broker-dealers face many cybersecurity threats, including:
- Vendor Breaches
- Fraudulent Wires
- Distributed Denial-of-Service (“DDoS”) Attacks
- Account Compromise or Takeover
- Imposter Websites
By utilizing this checklist, firms can be sure they have mitigated the chances for these threats to occur.
How to achieve compliance?
Organizations are affected by the growing number of cyber attacks and their complexity, which continue to increase year after year. Cyber risk management is critical in protecting organizations from the reputational and financial damage that can be incurred following a breach. Proper cyber defense can only be achieved by understanding, quantifying, and mitigating all risk, while ensuring compliance with all relevant standards and regulations.
With FINRA’s cybersecurity checklist, firms can identify and inventory their information assets, determine the negative impact to the firm and customers if the assets were compromised, identify potential safeguards and practices that secure the assets, and then make a risk-based evaluation considering their resources, the ramifications of a potential breach, and available processes and protections. Firms may choose to mitigate and take action on the high level threats and vulnerabilities or they may decide that the risk is low enough to accept.
Completing the excel checklist will require time and effort from senior executives at the firm. This is where Centraleyes comes into play. The Centraleyes platform takes FINRA’s excel based checklist and turns it into an easy-to-manage questionnaire, with integrations into security tools, and access to external threat intelligence and data feeds. The platform saves time and resources while creating a far more resilient cyber risk and compliance program. Your cyber risk team can manage the FINRA assessment and report across multiple environments, groups and locations, in one centralized and comprehensive platform. The data is also presented on an AI, automated remediation planner that creates and prioritizes remediation tickets, making it easy to run various automated workflows to close the gaps. This enables leaders to easily interpret the current status and take action. The platform enables streamlined and simple distribution and collection of all necessary data, while automatically analyzing results using the most advanced risk methodologies that exist.