Penetration testing or conducting a pen test can be a key element in a firm’s arsenal to protect itself against cyber intrusions. Firms use pen tests to test potential vulnerabilities of their networks, determine where there may be gaps, and assess their cybersecurity defenses. Today’s post is the fourth in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first, second, and third posts on cybersecurity practice impacts.

What are pen tests and who should use them? FINRA notes that pen tests can simulate an external attack by trying to access the firm’s system or an insider attack by trying to access systems and information that they should not be able to access. As discussed in prior posts, FINRA reviewed the Risk Control Assessment (RCA) responses of its member firms and identified the extent to which firms are using pen tests, the business models of firms most likely to benefit from such tests, and best practices in implementing this tool. Importantly, FINRA notes that it is not a one size fits all decision as to whether to use pen tests. The value of pen tests is more dependent on the firm’s business model and technology infrastructure than the size of the firm. FINRA notes that key considerations on whether to use such tests include whether the firm provides online access to customer accounts, how they manage and store confidential information, including trading strategies, customer personal confidential information, and M&A information.

Key best practices to consider in employing pen tests. FINRA identified best practices that firms use in implementing effective pen tests.

  1. Use Risk-Based Approach. Firms recommend a risk-based approach to assessing which systems to test and how frequently to test. Relevant factors to consider in evaluating which system to test and how frequently include: sensitivity of data, operational importance, and any known or suspected vulnerabilities. FINRA found that robust cybersecurity programs tested annually and more frequently for critical, high-risk systems. Interestingly, FINRA also observed firms testing after changes to important applications and infrastructure. 
  2. Conduct Thorough Vendor Due Diligence. In addition to discussing the importance of assessing a vendor’s substantive qualifications, FINRA calls out the need to obtain an ethical hacking certification in order to protect the firm. FINRA also notes firms alternate, rotate, or use multiple vendors to increase the likelihood of finding issues.    
  3. Ensure Contracts Detail Vendor Responsibilities and Obligations. Beyond specifying the particulars about what the vendor is required to do during the engagement, FINRA stresses the importance of specifying the non-disclosure of confidential information and test findings and the details of what and how the results should be conveyed to the firm.
  4. Respond to Pen Test Results. Critically important is that firms follow up on the results on pen tests. FINRA recommends establishing governance structures to track, risk-rank, and prioritize issues. FINRA also points out the importance of strong escalation and documentation processes.  

The best practices FINRA identified through its RCA analysis provides useful guidance for firms to consider in evaluating whether and how to employ pen tests to evaluate the strength of their cybersecurity programs and identify potential vulnerabilities.