FAQ – What are the FINRA requirements for cybersecurity?

FINRA is the US government agency authorized by Congress to protect investors by overseeing over 600,000 brokers across the country.  Some of these brokers are clients of Foresite’s network of Managed Services Providers, and the question has come up “What are the FINRA requirements for cybersecurity”?

FINRA lists the following as Core Cybersecurity Controls:

• Patch Maintenance. Enable the automatic patching and updating features of operating systems and other software to help firms maintain the latest security controls (see Sections 4 and 5 of the Checklist).
• Secure System Configuration. When configuring systems and software, use vendor guidance or industry standards, such as those published by the Center for Internet Security (“CIS”) (see Overview and Resources section of the Checklist).
• Identity and Access Management. Limit access to confidential customer and firm information based on business need. Tightly restrict use of “admin” or highly privileged entitlements and regularly review user accounts and privileges to modify or delete those which are no longer necessary to achieve business objectives (see Section 8 of the Checklist).
• Vulnerability Scanning. Use Commercial Off-The-Shelf (“COTS”) software or third-party vendors to continuously scan for vulnerabilities and quickly address detected discrepancies (see Section 10 of the Checklist).
• Endpoint Malware Protection. Install COTS software on firm computers, servers and firewalls to detect and block viruses and other malware (see Sections 4 and 5 of the Checklist).
• E-mail and Browser Protection. Install software or use services to block web-based e-mail programs and unsafe content received through e-mail (e.g., phishing attacks) or accessed via web browsers (see Sections 4 and 5 of the Checklist).
• Perimeter Security. Use network access controls, such as firewalls, to block unnecessary connectivity between firm systems and outside systems. If feasible, incorporate an Intrusion Detection and Prevention capability (see Sections 4, 5 and 10 of the Checklist).
• Security Awareness Training. Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users are aware of their responsibilities for protecting the firm’s systems and information. Training should address common attacks, how to avoid becoming a victim and what to do if you notice something suspicious. Consider implementing an ongoing phishing awareness campaign (see Section 8 of the Checklist).
• Risk Assessments. Conduct annual risk assessments and testing of firm controls to verify effectiveness and adequacy. This assessment may be accomplished using third-party or firm security experts (see  Sections 1 and 2 of the Checklist).
• Data Protection. Encrypt critical data, back it up frequently and store copies of back-ups offline. Regularly test the firm’s ability to restore data. Consider blocking USB ports and use of all removable data storage devices, including CDs and flash drives (see Sections 4, 5, 6 and 12 of the Checklist).
• Third-Party Risk Management. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s. All contracts should have provisions to enforce controls to protect data, including prompt notification of any changes to those controls and vulnerabilities or breaches that may affect the firm (see Section 3 of the Checklist).
• Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls such as those in the Small Firm Cybersecurity Checklist.
• Policies and Procedures. Create policies and procedures that address each category of controls applicable to the firm, such as those identified in this list.

Key takeaways for MSPs:

1. The NIST_CSF_checklist can be used to get an idea of where gaps exist and what services you can recommend to help fill them, and can be used to do this for ALL customers.
2. You are a critical third-party vendor for these customers, especially if you have access to their network.  Make sure you align your own cybersecurity to the NIST CSF standards!