Kim Peretti of Alston & Bird/courtesy photo Kim Kiefer Peretti of Alston & Bird/courtesy photo

“Cybersecurity practices need to be current and adaptable to the current threat landscape,” said Kimberly Kiefer Peretti, partner and co-chairwoman of Alston & Bird's cybersecurity preparedness and response team in Washington, D.C., speaking about the Financial Industry Regulatory Authority's latest Report on Selected Cybersecurity Practices 2018.

The recently released FINRA report provides guidance for broker-dealer firms of various sizes on how they can mitigate the risks of cyberattacks and data theft by other means. FINRA is a nonprofit self-regulatory organization that registers broker-dealers and enforces compliance with federal securities laws and FINRA rules, and is overseen by the U.S. Securities and Exchange Commission.

Steven Polansky, senior director, member supervision in FINRA's Washington, D.C., office, said on releasing the 2018 report: “There is no one-size-fits-all approach to cybersecurity, so FINRA has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business.”

It's an urgent topic as the number and severity of cyberattacks on financial institutions and others continue to rise. The SEC in September, for instance, announced that a Des Moines, Iowa-based broker-dealer and investment adviser, Voya Financial Advisors Inc., had agreed to pay $1 million to settle charges related to failures of cybersecurity policies and procedures that led to an intrusion that breached the personal information of thousands of customers. The SEC charged Voya Financial with violating the federal Safeguards Rule and Identity Theft Red Flags rule, its first enforcement action under the red flags rule. The intruders allegedly gained access to customer data by tricking the information technology help desk into resetting passwords by impersonating the financial representatives, who were independent contractors.

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC Enforcement Division's Cyber Unit, announcing the settlement. “They also must review and update the procedures regularly to respond to changes in the risks they face.”  

The FINRA report covers how to defend against this type of security breach and others, and is broken down into five main topics: Cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices, according to a news release issued by the authority on the report's release. The report updates a similar one FINRA released in 2015.

The new report is more specific and more detailed than the 2015 edition, listing practices, for instance, on branch controls, including the need to provide written supervisory procedures. A section on phishing goes into depth on how to detect “phishing” emails that appear to be from other executives, higher-ups, customers, acquaintances or the company help desk and how to educate representatives and employees about them.

“It is written in terms of not just various controls but continuous review of effective practices that are used by other firms,” Peretti said, adding that the report gives insight into types of attacks that are prevalent but also how “various peer organizations are addressing it.”

For instance, at the branch level, the report advises “mandating that branch personnel notify branch management of and properly respond to violations of firm cybersecurity standards or material cybersecurity incidents involving loss of confidentiality, availability or integrity of customer personally identifiable information (PII) or sensitive firm data.”

Cybersecurity practices must “be appropriately tailored to the entity. It should be risk-based based on risk to your organization,” said Peretti, who formerly was a senior litigator for the U.S. Department of Justice's Computer Crime and Intellectual Property Section, and was a lead prosecutor of TJX hacker-ringleader Albert Gonzalez. Gonzalez conspired with other members of the ring to hack payment processors and networks gaining access over a period of several years to 180 million payment-card accounts at retailers, including TJX, Target Corp. and others. He was sentenced to a prison term of 20 years and a day in 2010.

Peretti said large and small institutions must stay up-to-date on the latest methods and techniques being used by organized criminals and state actors, and must upgrade technologies and training to keep up with their ever-evolving tactics.

Read More:

SEC Hits Voya Financial Advisors With $1M Fine Over Cyber Breach

Cybersecurity Costs Extend Beyond a Price Tag

Securing the Premises: Simple Tips for Maximizing Cybersecurity