FINRA Cybersecurity: Where Should Financial Services Firms Focus on Cloud Compliance?

What do the FINRA cybersecurity rules mean for financial services firms using Salesforce and other mission-critical cloud applications?

Financial services firms and broker-dealers are no strangers to the cloud – in fact, the finance cloud market is predicted to grow at a CAGR of 24.4 percent, to $29.47 billion, by 2021. Customer applications are likely to see the greatest growth, thanks to their benefits of greater productivity, lower costs, and advanced data analytics. FINRA itself has been able to process an “unprecedented” amount of market activity thanks to cloud storage. Still, the FINRA cybersecurity principles make it clear that cloud applications are subject to the same rules as any other technology when it comes to protecting sensitive customer data.

What is Cybersecurity, and Why is it Important?

FINRA defines “cybersecurity” simply: Protecting investor and firm information from compromise (i.e., loss of data confidentiality, integrity, or availability) due to the use of electronic digital media like computers or mobile devices. This includes any data that’s stored in applications like Salesforce or Financial Services Cloud. It’s no wonder the organization has doubled down on cybersecurity enforcement:

• The financial services industry has the highest cost-per-record-breached of any other industry (healthcare is No. 1), with firms losing, on average, $206 for every record breached.
• Financial services breaches tripled in just five years.
• Financial services pays the highest annual price for cybercrime, at an average of $18.28 million – 9.6 percent higher than the previous year.
• Yet breach prevention ranks third in the list of CISO priorities, according to a report from the Financial Services Information Sharing and Analysis Center, behind employee training and infrastructure upgrades/network defense.

Accenture found that DDoS attacks, phishing, and social engineering represented the costliest attacks – but malicious insiders weren’t far behind at No. 3, costing an average of $169,099 per attack. An insider-based attack also takes second-longest amount of time to resolve – on average, 58.8 days, behind 65.8 days for malicious code.

FINRA essentially assesses whether a firm can protect its customers’ sensitive information, maintaining its confidentiality, integrity, and availability. Compliance is measured against key SEC regulations, including:

• Regulation S-P (17 CFR 248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access.
• Regulation S-ID (17 CFR 248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft.
• The Securities and Exchange Act of 1934 (17 CFR 240.17a-4(f)), which requires firms to preserve electronically stored records in a non-renewable, non-erasable format.

When focusing on individual firms, FINRA reviews their approach to all facets of cybersecurity risk management, including governance and risk management, risk assessments, technical controls, incident response, vendor management, staff training, and cyber intelligence and information sharing.

First, let’s review some major challenges FINRA uncovered in its last sweep of exams. Then, we’ll address FINRA’s best practices for each of its key areas of review.

Major Challenges in Financial Services Cybersecurity

During FINRA’s 2017 round of exams, the group determined that many firms have identified cybersecurity as a significant risk. As such, they’ve largely defined and documented policies and procedures, established metrics and reporting, and formed formal governance groups that meet regularly. Still, some challenges remain.

• Access Management: Basic access management issues persist. For one, it takes some firms too long to terminate a departing employee’s access to firm systems. Other firms lack procedures for logging, monitoring, and supervising privileged user activities (e.g., assigning themselves additional access rights, performing work outside the authorized hours).
• Branch Office Cybersecurity: Branch offices were found to have the greatest challenges with the most basic of security tactics. These include managing secure passwords, regularly installing patches and software updates, leveraging anti-virus software, encrypting data, and reporting incidents.
• Segregation of Duties: Particularly for medium- and small-sized firms, FINRA found that that did not segregate responsibilities for requesting, implementing, and approving cybersecurity rules and system changes. In one example, some firms allowed application developers to access sensitive data in production systems — and, in some cases, put application code into production without oversight.

Best Practices for 7 Key Areas of FINRA Cybersecurity

1. Governance and Risk Management

“Firms should establish and implement a cybersecurity governance framework that supports informed decision-making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes, and structures coupled with relevant controls tailored to the nature of cybersecurity risks the firm faces and the resources the firm has available.”

FINRA recommends the following best practices for governance and risk management, which can be applied to the governance of data in your cloud systems, as well:

• Define a governance framework based on your firm’s risk appetite that will support your decision-making process.
• Involve senior management, and, if appropriate, your board in all cybersecurity issues.
• Identify and follow industry-standard frameworks and standards that address cybersecurity (e.g., NIST, ISO 27001/27002, ISACA’s 7 Control Objectives for Information and Related Technology, COBIT 5, PCI DSS).
• Use metrics and thresholds to determine whether your governance program is successful.
• Dedicate resources to achieving the right risk posture for your firm.
• Perform regular cybersecurity risk assessments

2. Cybersecurity Risk Assessments

“Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation.”

FINRA is, most of all, concerned with whether firms have the right risk management tactics in place should they need to address a threat. Risk assessment best practices include:

• Identify and maintain an inventory of everything that’s been authorized to access your firm’s network, along with the critical assets that require protection.
• Assess external and internal threats or vulnerabilities.
• Develop prioritized, time-bound recommendations for remediating any risks you discover.

3. Technical Controls

“Firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself.”

When it comes to setting technical controls for cloud applications and other systems, FINRA’s best practices recommend:

• Implement a defense-in-depth strategy that includes application-layer security like user activity monitoring on Salesforce and other cloud applications.
• Select controls that are appropriate to your firm’s specific technology/threat environment. These might include identity and access management, data encryption, and proactive monitoring.

4. Incident Response Planning

“Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents.”

Incident response planning best practices include:

• Prepare incident responses for the incidents your firm is most likely to encounter (e.g., loss of customer PII, data corruption, malware infection) based on your risk assessment and other factors.
• Incorporate intelligence on current threats to identify the most common types of incidents and attacks.
• Develop strategies for containing and mitigating various types of incidence.
• Make eradication and recovery plans for systems and data.
• Put processes in place for investigating and assessing damage incurred by an incident or attack.
• Prepare a plan for communication with and notifying key stakeholders (e.g., customers, regulators, law enforcement).
• Take advantage of simulation exercises that match your firm’s scale and individual roles.
• Put in place measures for maintaining client confidence. These might include credit monitoring for investors with exposed PII or reimbursement for any financial losses incurred.

5. Vendor Management

“Firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management.”

When dealing with third-party vendors like cloud application providers, financial services firms should make sure to:

• Perform due diligence before signing contracts with any service providers.
• Develop contractual terms that take into account the sensitivity of any information or systems vendors may have access to. These terms should guide both the ongoing relationship with the vendor, as well as the post-relationship stage — what are the vendor’s obligations with your firm’s data?
• Perform ongoing due diligence for existing vendors.
• Assess vendor relationships during the risk assessment process.
• Establish and enact procedures for terminating vendor access to systems once the contract ends.
• Establish, maintain, and monitor any vendor entitlements, as appropriate for your firm’s risk appetite.

6. Staff Training

“Firms should provide cybersecurity training that is tailored to meet staff needs.”

Training may be one of the most important areas of cybersecurity for financial services firms, as employees are one of the main sources of such risk. According to FINRA, the majority of attacks came from employee mistakes like downloading malware or responding to a phishing attack. FINRA best practices for training staff on cloud application compliance include:

• Define the primary goal and requirements of cybersecurity training.
• Identify the right frequency and timing for your cybersecurity training.
• Solicit audience participation and leverage interactive training to encourage retention of the information being taught.
• Use your firm’s loss incidents, risk assessment process, and threat intelligence gathering to develop specific training areas.

7. Cyber Intelligence and Information Sharing

“Firms should use cyber threat intelligence to improve their ability to identify, detect, and respond to cybersecurity threats.”

Cyber threats are advancing at a rapid pace, with attacks becoming more and more sophisticated to combat the barrage of tools designed to prevent and mitigate damage. That makes it imperative for financial services firms to communicate with one another about threats encountered and potential solutions. Best practices include:

• Assign responsibilities to both the organization as a whole and to individuals for gathering cybersecurity intelligence and analyzing threats.
• Establish a way to quickly distribute intelligence and analysis of threats to key internal groups and stakeholders.
• Evaluate intelligence both tactically and strategically.
• Participate in organizations that share information (e.g., FS-ISAC) and continually evaluate the partners you’re getting information from.

Cybersecurity should be a high priority for financial services firms — and, by and large, it is. FINRA cybersecurity rules provide excellent guidance for how financial services organizations can stay compliant with key SEC regulations and keep sensitive investor and company data secure, available, and complete. By following the best practices above and keeping an eye on how users are using your cloud applications like Salesforce, you can ensure a 360 compliance posture that mitigates risk and creates a culture of compliance and security.