On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication.
In the Report, FINRA focuses on five selected topics: (1) cybersecurity controls in branch offices, (2) phishing attacks, (3) insider threats, (4) penetration testing, and (5) controls on mobile devices. We focus here on the first identified threat: branches or other remote offices and the challenges faced by firms in ensuring effective implementation in the branch offices of firm cybersecurity controls, processes, systems, and procedures.
By way of background, the practices highlighted in the Report, which many firms have adopted to mitigate their cybersecurity risk, were identified by FINRA from several regulatory program areas, including, among others, the examination and risk monitoring programs. The Report also draws heavily from the annual Risk Control Assessment (RCA), a lengthy annual questionnaire FINRA sends to firms to collect information about the risks associated with the business models and activities of member firms, the products and services they sell, and the kinds of clients and counterparties with which they deal. FINRA uses the information collected to inform its risk-based surveillance and examination programs. The current Report provides, among other things, summary statistics on the adoption rate of various firm practices to mitigate specific risk.
Branch Controls
FINRA highlights the challenges posed by ensuring that cybersecurity controls are effectively implemented at the branch level. FINRA highlighted examples of risks include branches that (1) purchase their own hardware, (2) use non-approved vendors, and (3) do not follow the firm’s software patching or upgrade protocols.
Before discussing the “best practices” that FINRA has observed, it is important to consider the context in which the issue of effective controls in remote office presents risks.
The number of branch offices, according to FINRA’s published statistics as of November 2018, stand at 156,182. Furthermore, the independent broker-dealers are continuing to expand their presence in the financial services industry. (See, Independent Broker-Dealers Fastest-Growing Brokerage Group, Investment News, Bruce Kelly, November 28, 2018.) Financial advisors, in the independent model, are not employees of the firm; instead, they are generally independent contractors. As independent contractors, they are “associated persons” of the firm and subject to the firm’s supervision.
The Securities & Exchange Commission’s recent action against Voya Financial Advisors, Inc. (Voya or VFA), filed September 26, 2018, addressed a host of cybersecurity issues, one of which involved lack of controls at the branch level. The SEC fined Voya Financial $1 million for lack of cybersecurity controls and violations of the Identity Theft Red Flags Rule.
Voya had both employees and independent contractors. As noted in the SEC’s Order:
“VFA has over 1,000 employees, including registered representatives, who work in its home and branch offices, as well as 3,800 other associated persons, including contractor representatives who work out of their own offices in approximately 1,200 locations throughout the United States. The contractor representatives make up the largest part of VFA’s workforce and provide brokerage and investment advisory services to VFA’s customers.” (Emphasis added.)
Independent contractor advisers often use their own technology equipment. This was the case at Voya. As the SEC noted: Voya “independent contractor advisers generally used their own IT equipment and operated over their own networks.” (Voya employees, on the other hand, used equipment and IT systems provided by Voya.)
Risks inherent in these arrangements include, among other things, relying on the individual advisors to ensure that virus scans and software security patches occur in a timely manner and that laptops and other devices are encrypted. In the Voya case, the SEC found that:
“The contractor representatives’ personal computers were supposed to be scanned for the existence of antivirus software, encryption, and certain software updates, but these scans were scheduled to occur only three times per year, and representatives often failed to take the actions that were necessary for the scans to occur. A third-party service provider scanned VFA contractor representatives’ computers after a representative clicked a link sent by the service provider via email. However, some representatives failed to click the link for extended periods of time, if at all. Among the computers that were scanned, the fail rate in each of 2015 and 2016 was approximately 30%, with half of those exhibiting critical failures, such as lack of encryption and antivirus software.”
FINRA Identified Best Practices
In its Report, FINRA identifies the following effective practices adopted by firms to mitigate risk of cybersecurity issues in branch offices:
- Establishing Written Supervisory Procedures to define minimum cybersecurity controls for branches and formalize oversight of branch offices;
- Developing an inventory of branch-level data, software and hardware assets;
- Maintaining branch technical controls (this includes identity and access management, password controls, encryption standards, etc.); and
- Implementing a robust branch cybersecurity examination program.
The Report details many examples of practices observed by FINRA that firms of all sizes are using to mitigate their risk. FINRA also cites throughout the Report to other resources, including its Small Firm Cybersecurity Checklist and its 2015 Report on Cybersecurity Practices.
To state the obvious, not all of the practices will apply to every firm. That said, given the very real and substantial risks posed to customers, the firm, and to representatives themselves, reviewing the practices detailed in the Report, reviewing your firm’s program, and enhancing your program where exist is just good compliance and business sense. Gaps put customers’ data and assets at risk and for the firm and the representatives, potentially exposing them to significant losses, reputation risk, and regulatory action. Having strong controls, supervision, training, and audits or branch examinations are critical components to mitigating exposure to the customers, the firm, and the representatives. (See also, FINRA’s Cybersecurity webpage with additional resources.)