On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.   

There is no doubt that “spear phishing” and “whaling” are very real threats to financial institutions today. As the Securities & Exchange Commission (SEC) detailed in a recent investigation report, the FBI estimates that “’business email compromises’ have caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 – the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.’”[2]

While the SEC’s 21(a) Report focuses on risk and controls for public companies, the financial services industry, even the non-public company segment of the industry, faces the same risk and similar regulator expectations and requirements of effective controls to protect customer and firm information and assets. The SEC found that emails sent to firm staff from “fake” firm executives or vendors requested funds be wired to specified accounts. Employees at nine companies fell for the spoofed emails and, together, the issuers lost nearly $100 million.

The SEC’s 21(a) Report found that the schemes were “not sophisticated in design or the use of technology: instead they relied on … weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.”[3]

The phishing segment of FINRA’s Cybersecurity Report conveys information on two topics: (1) how they do it (what to watch for — sources and types of communications) and (2) suggested best practices to combat the threat.

On the “how they do it front,” FINRA details the different types of senders (entities and individuals), as well as the typical characteristics of phishing emails. Further, the Report, recognizing the increasing sophistication of such attacks, also details several different characteristics, as well as examples, of phishing communications. Whether the phisher is seeking customer personal identifiable information or fraudulent wire transfers, if firms develop policies and procedures and focus training on the types of senders (or hackers/phishers) to watch out for and the typical variations of such communications, this will mitigate risk that of employees falling victim to the scams.

Importantly, FINRA’s Report details a dozen best practices implemented by firms to combat the phishing threat.[4] While we commend the review of the full list of best practices to firms, we wanted to emphasize four of the recommended effective practices.

  • Creating policies and procedures that address phishing practices including identifying such emails, what to do when such emails are suspected (e.g., do not click on links, notify technology and compliance, confirming wire transfers, etc.).
  • Establishing robust confirmation policies and procedures for executing transaction requests.
  • Periodic, mandatory training of employees and associated persons on phishing practices and policies and procedures for disseminating information. Training allows the firm to provide updates on new phishing tactics and remind everyone of the specifics of the anti-phishing policies and procedures as well as the risks to customers and the firm of noncompliance.
  • Developing remedial training and imposing consequences for those who repeatedly violate firm phishing protocols. Impressing the importance of everyone’s adherence to firm policies and procedures in this area is one way to close potential gaps that hackers can exploit. This includes following up when the firm is on notice of individuals who violate the policies.

These effective or best practices are similar to those highlighted in the SEC’s 21(a) Report. For example, the SEC ultimately concluded that, while the companies involved in the matter had implemented policies and procedures and training, “weaknesses in the policies and procedures and human vulnerabilities” needed to be factored into the development of controls specifically geared to cyber threats.[5] The SEC emphasized the need to reassess internal controls through the lens of cyber-security threats. While it is always best if that reassessment can occur in advance of a cyber-event, at a minimum, taking steps to shore up payment authorization and verification requirements and enhance training after an event, as the issuers investigated by the SEC staff did, is imperative to protect customers and the firm.

Finally, FINRA, recognizing that successful attacks may start with the customers, recommends that firms also educate their customers and direct them to resources that help them protect themselves.

FINRA’s Report provides comprehensive information for firms to combat cyber-related frauds. While the scammers continue to alter their tactics and increase the sophistication of the scams, implementing internal controls and effective policies and procedures that stay ahead of the scams and implementing effective training provide important risk mitigation strategies.


[1] FINRA Report on Selected Cybersecurity Practices – 2018, December 20, 2018 (“FINRA Report”).

[2] SEC Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls, Rel. 34-82429 (Oct. 16, 2018) (“SEC 21(a) Report”).

[3] SEC 21(a) Report at 5.

[4] FINRA Report at 7.

[5] SEC 21(a) Report at 5-7.