FINRA Report on Best Cybersecurity Practices Is Must-Read, Alston & Bird Lawyer Says

It's an urgent topic as the number and severity of cyberattacks on financial institutions and others continue to rise. The SEC in September, for instance, announced that a Des Moines, IA-based broker-dealer and investment adviser, Voya Financial Advisors Inc., had agreed to pay $1 million to settle charges related to failures of cybersecurity policies and procedures that led to an intrusion that breached the personal information of thousands of customers. The SEC charged Voya Financial with violating the federal Safeguards Rule and Identity Theft Red Flags rule, its first enforcement action under the red flags rule. The intruders allegedly gained access to customer data by tricking the information technology help desk into resetting passwords by impersonating the financial representatives, who were independent contractors.

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” Robert Cohen, chief of the SEC Enforcement Division's Cyber Unit, said in announcing the settlement. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

The FINRA report covers how to defend against this type of security breach and others, and is broken down into five main topics: 1) cybersecurity controls in branch offices; 2) methods of limiting phishing attacks; 3) identifying and mitigating insider threats; 4) elements of a strong penetration-testing program; and 5) establishing and maintaining controls on mobile devices, according to a news release issued by the authority on the report's release. The report updates a similar one FINRA released in 2015.

The new report is more specific and more detailed than the 2015 edition, listing practices, for instance, on branch controls, including the need to provide written supervisory procedures. A section on phishing goes into depth on how to detect “phishing” emails that appear to be from other executives, higher-ups, customers, acquaintances or the company help desk and how to educate representatives and employees about them.

“It is written in terms of not just various controls but continuous review of effective practices that are used by other firms,” Peretti says, adding that the report gives insight into types of attacks that are prevalent but also how “various peer organizations are addressing it.”

For instance, at the branch level, the report advises “mandating that branch personnel notify branch management of and properly respond to violations of firm cybersecurity standards or material cybersecurity incidents involving loss of confidentiality, availability or integrity of customer personally identifiable information (PII) or sensitive firm data.”

Cybersecurity practices must “be appropriately tailored to the entity. It should be risk-based based on risk to your organization,” says Peretti, who formerly was a senior litigator for the U.S. Department of Justice's Computer Crime and Intellectual Property Section, and was a lead prosecutor of TJX hacker-ringleader Albert Gonzalez. Gonzalez conspired with other members of the ring to hack payment processors and networks gaining access over a period of several years to 180 million payment-card accounts at retailers, including TJX, Target Corp. and others. He was sentenced to a prison term of 20 years and a day in 2010.

Peretti says large and small institutions must stay up-to-date on the latest methods and techniques being used by organized criminals and state actors, and must upgrade technologies and training to keep up with their ever-evolving tactics.

*****

MP McQueen is Editor-at-Large at Corporate Counsel, an ALM sibling of Cybersecurity Law & Strategy, and can be reached at [email protected].