Finra Cybersecurity Report Offers Effective Practices on Oversight, Evaluation of Firms

A Finra report offers insights on effective practices firms use to address selected cybersecurity risks. The report, aimed at helping broker-dealer firms develop their cybersecurity programs, addresses direct cyberattacks, risk mitigation and oversight of third parties. The report noted, for instance, that the firms it observed “conducted thorough due diligence to select vendors with a sound knowledge of cyber risks, current attack techniques and appropriate tools to emulate the actions of an attacker.” The report added that some firms required vendors to provide an ethical hacking certification such as Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP) or GIAC Penetration Tester (GPEN) certifications prior to an engagement. Key topics covered in the report include:

• how firms have strengthened their cybersecurity controls in branch offices, which is especially important for firms with decentralized business models;
• limiting phishing attacks;
• the importance of identifying and mitigating insider threats;
• the elements of a strong penetration testing program; and
• establishing and maintaining controls on mobile devices.