New Orleans IT ServicesCall: (504) 849-0570

Do You Understand FINRA’s Cybersecurity Recommendations?

FINRA may have stated their cybersecurity recommendations, but that doesn’t mean they’re totally clear. In this article, we’ll explore cybersecurity best practices for FINRA compliance.

FINRA’s Cybersecurity Recommendations

If you want to be FINRA-compliant, then you need to make sure your firm is secure. However, neither effort is necessarily simple. At first glance, FINRA requirements can be very complicated. After all, cybersecurity is a multi-faceted undertaking, involving hardware, software, and users.

Do you know where to begin?

FINRA’s Cybersecurity Recommendations Followed By Louisiana Organization

What’s The Foundation Of FINRA Compliance?

Let’s start with the basics – compliance is determined by your firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.

That means following the three regulations below. Think of them as what’s required of you and how you deal with your data…

  • You Need A Written Policy
    Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
  • You Need To Protect Against Identity Theft
    Regulation S-ID (17 CFR §248.201-202), which outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
  • Your Data Needs To Be Stored The Correct Way
    The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

5 FINRA Best Practices For Your Firm To Follow

1. Don’t Forget About Branch Cybersecurity

No matter how secure your main location is, that defense doesn’t automatically extend to the branches you work with. As a part of your “supply chain”, branches need to be as secure as you are.

That’s the point of Written Supervisory Procedures (WSPs). They make sure your branches are as secure as your primary location. No matter how good your onsite cybersecurity is, that doesn’t mean anything to your branches.
Double-check that your branches have the following in place:

  • Mandatory security controls
  • Notifications concerning issues and breaches
  • Accepted security settings and vendors
  • Assignment of duties and responsibilities pertaining to cybersecurity controls
  • Training curriculum and testing protocols

2. Defend Against Phishing

Phishing (and all social engineering techniques) is about the element of surprise.

It’s a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers.

That’s why cybersecurity awareness training is becoming a more and more common part of modern IT services. The fact is that users are a key target for cybercriminals; the more they know about cybercrime tactics like phishing, the better defended your organization will be.

3. Don’t Make Assumptions

No matter how much you’ve invested in your cybersecurity, you can’t just assume it’s effective enough to protect you against cybercriminals. A key best practice for cybersecurity is to regularly test your measures to make sure they hold up in the event of an attack, and to identify any unseen vulnerabilities that are putting you at risk.

That’s why FINRA recommends running penetration tests (an authorized attempt to break through your organization’s cybersecurity defenses) both on a regular basis, as well as after key events – anything really that makes significant changes to your firm’s infrastructure, staffing, access controls, or other cybersecurity-based considerations.

4. Involve Your Staff In Cybersecurity

Do your employees have the knowledge they need to defend your firm?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

  • How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
  • How to use business technology without exposing data and other assets to external threats by accident.
  • How to respond when you suspect that an attack is occurring or has occurred.

5. Keep Data Protected On Mobile Platforms

It’s no surprise that mobile devices are continuing to become a central and necessary part of the business world. What might be surprising is how unprepared some businesses are for that reality.

No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.

This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure.

That’s why you need to have the right mobile cybersecurity measures in place:

  • Virtual Private Network
    A VPN creates a secure tunnel for your data to transit the Internet, using a network of private servers.That makes it harder for an attacker to identify you as the source of the data – no matter whether you’re on your mobile device’s data connection, or using an unsecured retail Wi-Fi network while you’re in line for coffee. Even if attackers can intercept your data, the encryption means the attackers can’t understand your data or use it to their advantage.
  • Find My Phone
    These types of apps allow you to remotely turn on your phone’s GPS to determine where it is. Furthermore, some of the more security-focused versions of these apps allow you to execute additional actions in order to eliminate security risks”.The right monitoring software for mobile devices will protect you from a number of dangerous scenarios, including:

    • Jailbreaking and rooting company devices
    • Unauthorized access to company data
    • Lost or stolen devices that need to be remotely wiped
  • Password Managers
    These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault.The downside of using a password keeper program is if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts.

Like this article? Check out the following blogs to learn more:

Why Local Companies Need To Hire A Local Cybersecurity Specialist

Are You Part Of The 55% That Fails To Offer Security Training To Staff Members?

3 Easy Steps To Secure Word Documents With A Password

Latest Tweets

contact info