The Financial Industry Regulatory Authority (FINRA) often issues alerts for broker-dealers in an effort to keep firms apprised of high-risk areas. One of these recent alerts issued in June 2023 references guidance from the Cybersecurity and Infrastructure Security Agency (CISA), which is a response from a recent cybersecurity attack targeting the financial sector, among others.
The message from FINRA is clear: Cybersecurity threats are growing, and all firms (whether affected by the recent threat or not) need to take measures to protect themselves and their clients from nefarious activity. Of course, an increased focus on cybersecurity isn’t exactly new information – regulatory bodies have been pointing toward cybersecurity as a focus area for at least the last year.
Related: Why implementing cybersecurity regulatory compliance initiatives is a must for 2023
As we step firmly into the second half of 2023, broker-dealers would be wise to refresh their cybersecurity practices, proactively identifying any areas of risk to both mitigate regulatory penalties and protect against tangible threats to data safety.
Six cybersecurity regulatory compliance tips for broker-dealers
1. Increase employee awareness
Cybersecurity is a team effort, and your employees are the first line of defense. Thus, it’s important to regularly educate your staff on the latest threats and best practices. The recent report from CISA, referenced above, is a great example of the materials and resources each member of your team should be familiar with.
Related: Cybersecurity Tips & Tricks for Chief Compliance Officers
Training can also encompass basic cybersecurity best practices, like recognizing phishing emails or knowing how to report suspicious activity. Regular cybersecurity training sessions offer an opportunity to build a culture of cybersecurity awareness through open communication, so be sure to encourage questions and provide hands-on learning during these times.
Note: Keep in mind that your staff likely have devices outside of firm-issued hardware. Be sure to train staff on proper use of both professional and personal devices. For example, logging into their work email on a cellphone without password protection could open your firm to unnecessary security risks.
2. Implement password policies
Passwords are the literal key to your metaphorical kingdom. Often, they’re the only thing protecting your clients’ and firm’s sensitive information from would-be hackers.
Implement strict password policies that go beyond the basics of requiring a mix of upper and lower-case letters, numbers and symbols – although that can make a significant difference!
To take your password training further, we recommend you implement multi-factor authentication and enforce regular password updates, all of which can provide added security.
3. Look at your third-party vendors
Many broker-dealers rely on third-party vendors for various services, including data storage, software solutions, compliance and more.
Before (and even after) signing on to work with these vendors, it’s crucial to thoroughly vet their cybersecurity policies and practices. Ensure they adhere to robust security standards, conduct regular security audits and have incident response plans in place.
As new cybersecurity threats or regulations are created, you can reach out to vendors to ensure they are keeping up, so to speak.
Related: What the SEC’s proposed vendor due diligence rule means for registered investment advisers
4. Create an incident response plan
Despite your best efforts, breaches can and do still occur. Having a well-documented incident response plan is essential in these moments. This plan should outline the steps to take in the event of a breach, including: who to contact, how to contain the breach, how to investigate it and how to notify affected parties.
Click Here to Download “The Three Elements of Cybersecurity” Checklist
After creating your incident response plan, it’s a good idea to host some “practice runs” for your staff, as this can reveal any potential hiccups in the plan while also familiarizing your staff with the proper procedure.
5. Assess (and reassess) areas of risk
Cyber threats are constantly evolving, and your cybersecurity measures must adapt accordingly. Regular assessments and audits of your systems, processes and training can help identify your organization’s areas for improvement.
This is especially important any time your firm undergoes a significant change, such as implementing new technology, restructuring staff, etc.
Related: Managing cybersecurity risks in an uncertain world
6. Leverage cybersecurity software solutions
Lastly, your firm could greatly benefit from investing in cybersecurity software solutions that provide real-time threat detection, automatic updates and enhanced protection against evolving threats.
One such solution is RIA in a Box’s Cybersecurity platform, which follows the National Institute of Standards and Technology (NIST) cybersecurity framework to provide:
- Email phishing attack simulation
- Third-party vendor due diligence
- Technology inventory and risk assessment
- Training modules
- And more
Cybersecurity is both dynamic and challenging, but with a proactive approach and a commitment to implementing these comprehensive cybersecurity tips, broker-dealers can significantly reduce their exposure to cyber threats, protect sensitive data and maintain compliance.
Protect your firm from cybersecurity regulatory compliance threats
Ready to implement a robust cybersecurity system within your organization? Click here to learn more about COMPLY’s comprehensive cybersecurity solutions.