Thursday, February 7, 2019

FINRA's new "Best Practices" for Cybersecurity is MUST reading for any employer

The Financial Industry Regulatory Authority (FINRA) recently issued its Report on Selected Cybersecurity Practices – 2018 [pdf].

The Report identifies five common cybersecurity risks and outlines recommended practices for each:

  • Branch controls
  • Phishing attacks
  • Insider threats
  • Penetration testing
  • Mobile devices 

While FINRA only regulates securities firms, the five topics its Report covers should be required reading for any employer that wants to understand how to implement cybersecurity best practices.

Branch Controls

If you have multiple or satellite offices, the Report highlights the need to closely monitor cybersecurity efforts outside your HQ. The more autonomy your satellites have, the harder it becomes to implement a company-wide cybersecurity program.

To limit the cyber risks this autonomy and independence can pose, the Report recommends establishing Written Supervisory Procedures to provide satellites detailed guidance on required security controls, how to notify HQ about cyber problems, recommended security settings and vendors, and regular cyber training for employees. It also recommends that companies keep an inventory of all digital assets, so that if satellites cannot use or install rogue or unknown devices or software, and so that breach risks can be assessed. This inventory should also include issues such as password controls, encryption, multi-factor authentication, and updated anti-virus and anti-malware software. Once these control are in place, companies should then audit and assess the specific cyber risk of each satellite, and correct deficiencies.

Phishing Attacks

Phishing continues to be the number one cybersecurity risk for companies, because it relies on human error (which is difficult to control). Email scanning and filtering is necessary, but not enough to stop phishing attempts. These attacks have gotten more sophisticated and harder to stop. Training is the key to protecting against phishing. Employees must be trained to recognize phishing attempts, educated not to open or respond, and counseled how to report the threat to the appropriate personnel for handling. For more on the nuts and bolts of phishing and how to best protect against it, click here.

Insider Threats

Anyone who has been given access to your network can pose a threat, if they harbor malicious or ill intent. Employees, interns, customers, vendors, or contractors or subcontractors all place you at risk. For more on handling insider threats, click here.

Penetration Testing

Penetration (or "pen") testing is a security exercise that uses a simulated to locate and exploit your systems weaknesses and vulnerabilities. Companies should be pen testing at least annually, and more often following changes in your cyber infrastructures. It's also best to use an outside vendor to conduct these tests, and rotate vendors to get different opinions on the strengths and weaknesses of your systems.

Mobile Devices

Your employees are using mobile devices to access your network, both those your provide and their own. Each device connect to your network offers an opportunity for a cyber attack. For tips on implementing a mobile device policy, including what devices are allowed to connect, how to handle a lost or stolen device, password protocols, and remote wiping of devices when needed, click here.


Data breaches are not if issues, but when issues. No system and foolproof, and even the most diligent are at risk. Following FINRA's lead, however, will help position your company to deflect and defend these attacks.

If you'd like to know more about how to best protect your business from cyber attacks, I know a few lawyers who can help (wink wink, nudge nudge).

* Photo by Nahel Abdul Hadi on Unsplash