a look into FINRA Cybersecurity

Practices Report - February 2015

RND Resources Inc., affiliates, and staff, are not associated with the financial industry regulatory
authority (FINRA). Nothing contained herein is intended to describe any such association.

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

Feed
Forward

February 2015:
FINRA Report Released:
Cyber-Security
Practices

Feed Back

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

Top Threats Identified by Financial Firms

Hackers penetrating firm systems
Insiders compromising firm or client data
Operational risks

Threats vary by firm and business model

Large Banks

Proprietary
Trading

Online
Brokerage

1) Online Brokerages rank hackers as top risk

2) Firms with algorithmic trading rank insider risks highest
3) Large investment banks rank hacktivist groups highest

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

FINRA Principles and

Effective Practices
A framework that
supports informed
decision making

Risk
Assessment

and escalation within

the organization

define policies,
processes, structures,
controls
tailored to
cybersecurity risks

Technical
Control

Cyber
Insurance

Information
Sharing

Governance
Risk
Management

Vendor
Management

Incident
Response
Plan

Staff
Training

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

FINRA Case Study

Cyber-related Enforcement Action
Hackers used an SQL injection attack on a firms database server obtaining
confidential information of over 200,000 customers
The firm became aware of the breach when hackers attempted to extort
money from the firm. Although, the breaches were visible on the firms web
server logs.

Further, the firm stored the customer data on a computer with an internet
connection and did not encrypt the information

FINRA cited the firm for several governance

failures.

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

FINRA Case Study

Cyber-related Enforcement Action (cont)
FINRA cited governance failure in with regards to:
Failure to implement adequate safeguards
Storing un-encrypted customer data
Weak password
Failure to test safeguards of sensitive data
Failure to review web logs
FINRA also cited: Failure to respond to an earlier auditor recommendation for
intrusion detection system. No written Information Security procedures in place
designed to protect customer data.

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

FINRA Case Study

Risks & Opportunities in Cloud Computing
FINRA recognizes that many firms today contract with vendors for cloudbased services. Cloud computing presents 2 unique challenges to firms with
regards to cyber security efforts.
1) Cloud services offer substantial technology advantages with minimal
involvement from IT departments. However, IT has in the past been able
to vet processes and ensure sound cyber security practices are in place.
2) Outsourced IT and cloud based systems blur the boundary between firm
and non-firm systems, making it hard for firms to maintain control over
their technology environment.

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

FINRA Case Study

Risks & Opportunities in Cloud Computing (cont)
Key security considerations for cloud-based services
1) What controls and authentication processes are used to access the cloud
vendor portal
2) Controls the cloud vendor has to prevent hacking of their system
3) What is the shared access of the system - ie; many firms may be using the
same system and computing resource
4) What testing procedures are in place to identify potential threats
5) What is the development life cycle process & procedure for updates
6) Who has physical access to the vendors data center

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

FINRA report: Cyber-security is a key risk the broker-dealer industry faces

today and that will likely grow in importance in the coming years.

Risk assessments help firms

identify and prioritize steps to
undertake.
Information sharing helps
firms understand the types of
threats out there and
mitigation measures.

SQL Injection Malware Phishing Hijacked Devices Persistent Threats

Website Hack Denial of Service Insider Threat Hactivists

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

Consulting Investment Firms since 1984

Compliance Accounting Registration Cybersecurity
Expert Witness & Litigation Support
RND Resources Inc., affiliates, and staff, are not associated with the financial industry regulatory
authority (FINRA). Nothing contained herein is intended to describe any such association.

RND Resources, Inc.

Phone (818) 657-0288
Compliance Accounting Registration www.finracompliance.com

RND RESOURCES, INC.

Securities Brokerage Professionals

21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367

www.finracompliance.com

CyberSecurity Standards for Investment Firms

A look into FINRA CyberSecurity Practices Report
Released February 2015
1) RND Resources presents an overview of the FINRA Report on Cyber Security
Practices released February 2015. RND Resources Inc is an Investment and
Brokerage consulting and services firm providing services in Compliance,
Accounting and Registration for Broker-Dealers, RIAs, Hedge Funds, & Family
Offices. RND Resources is not associated with FINRA. Nothing contained in this
presentation is intended to describe such association.
2) The February 2015 FINRA report was released in response to FINRA cybersecurity sweeps implemented in January 2014. The 45 page report gives an
overview of the Cyber Security landscape, presents case studies where cybersecurity and sensitive data has been compromised, and outlines standards for
firms to implement sound cyber-security governance.
3) Cybersecurity threats to broker-dealers and investment advisers are
persistent across many types of electronic digital media. Computers, mobile
technology, telephony equipment, and wi-fi access can all present hackers
and cyber criminals with access to sensitive company data. Additionally,
threats can occur from insiders with access to systems and passwords.
4) Cyber threats vary by size of firm and business model. FINRA surveyed firms
to understand top threats. While top threats were identified, the level of
priority of threat types varied by firm. For instance, large investment firms see
a greater threat from hacktivist groups creating operational issues, while
online brokerages rank hackers stealing customer data as their highest threat.
Further, firms with proprietary trading algorithms cited risks from insiders
compromising firm or client data as most prominent.

Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299

RND RESOURCES, INC.

Securities Brokerage Professionals

21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367

www.finracompliance.com

Cont.
5) In response to their findings, FINRA released standards for brokerage and
investment firms to implement as a means to protect customer and firm data
from threats and attacks. FINRA created a summary of effective principals and
practices leading to a sound cyber-security program. Brokerage and
Investment firms need to analyze their proficiency in these key areas to
ensure data is secure at all times. The key areas include: Governance and Risk
Management, Risk Assessment, Technical Control, Incident Response Plan,
Vendor Management, Staff Training, Information Sharing Practices, Cyber
Insurance.
6) FINRA has cited, sanctioned, and fined firms with weak cyber-security
infrastructures. The report presents case study examples of errors on the part
of the firm to protect customer and company data. Hackers use sophisticated
methods to breach company records. Firms must stay on top of security
measures to ensure they are protected against common and not so common
threats.
7) In some cases there are simple measures that firms can implement to prevent
cyber attacks. Restricting access and use of administrative level passwords,
using strong passwords and frequently changing them, and maintaining virus
software are common practices. Firms must also implement strong prevention
tactics such as regular review of web logs for attempted breaches, testing
systems against breach, and using separate storage devices for customer data.
8) Firms must also recognize that risks are not entirely within their own control.
Some risks come from outsourced services and cloud based computing
systems. Brokerage firms have less control over security of cloud based
systems and must review procedures and security measures of their vendors
to ensure protection standards are implemented at the level that securities
brokerages are required to maintain.

Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299

RND RESOURCES, INC.

Securities Brokerage Professionals

21860 Burbank Blvd North Building, Suite 150 Woodland Hills, CA 91367

www.finracompliance.com

Cont.
9) FINRA reported several key concerns with cloud based computing and
outsourced vendor services. Investment and Securities firms must exercise
due diligence in who they do business with and what the capabilities are.
Firms should interview vendor companies to identify which secure measures
are in place and to ensure they are compliant with investment firm standards.
10) Cyber security is a growing risk to broker-dealers, investment advisers, hedgefund managers, and family practices. RND Resources is actively engaged in
reviewing Investment firms and practices cyber security programs, and
making recommendations and establishing procedural standards. It is
important for firms to have their cyber security strategy assessed for its
ability to prevent attacks and quickly recover if one happens. Some states
have specific laws with regards to disclosure of cyber attacks. Firms must
maintain standards compliant with their local and state laws as well
regulatory standards.
11) RND Resources, Inc is leading securities and brokerage professionals to
successfully implement compliance with FINRA and SEC standards. We are
experts at helping firms reach their compliance goals. Our company is a
member of ISACA Information Systems Audit and Control Association which
serves to keep members informed of threats in the IT landscape and focuses
on IT governance. RND is also a member of NSCP the National Society of
Compliance Professionals. Contact us for information about how we can help
your firm protect itself from attack and meet regulatory standards. Phone
(818) 657-0288 or visit our website at www.finracompliance.com

Phone (866)-342-9342/ (818)657-0288 Fax (888) 347-6098/ (818)657-0299