If you’re a company in the financial services industry, then you have a unique set of requirements to follow when it comes to how you handle client data.
Financial services businesses are regulated by the Financial Industry Regulatory Authority (FINRA), which is a not-for-profit organization that’s authorized by the U.S. Congress to protect investors and ensure they’re being treated honestly and not taken advantage of.
Five of the main objectives of FINRA include:
- Making sure all investors receive basic protections
- Ensuring anyone that sells a securities product has been tested, qualified, and licensed
- Regulating advertising of securities products to make sure it’s truthful
- Overseeing that securities products sold to investors are suitable for them
- Ensuring investors receive complete disclosure about investment products prior to purchase
Because most data is transferred digitally these days, FINRA compliance includes specific guidelines for the cybersecurity measures that businesses take to protect sensitive client data. This includes network protections, safeguards built into workflows, and ensuring data is gathered, stored, and transmitted securely.
Fines for non-compliance with FINRA’s cybersecurity regulations can be stiff. For example:
- One firm that failed to properly protect a cloud-based server from being hacked was fined $650,000.
- A broker-dealer was fined $225,000 for losing an unencrypted laptop containing sensitive data.
FINRA 12-Section Cybersecurity Checklist
The cybersecurity guidelines given by FINRA are based on best practices when it comes to secure handing of Personally Identifiable Information (PII) in a number of ways.
The main areas of protection include:
- Identifying and assessing cybersecurity threats
- Protecting data from unauthorized access
- Detecting when systems have been compromised
- Planning for an efficient response when compromise occurs
- Implementing a plan to recover lost or stolen data
FINRA lays out the specifics of what you need to do in a Small Firm Cybersecurity Checklist. We’ve included an overview below with suggested technology you need support the requirements.
1. Identify and Assess Risks: Inventory
This includes understanding what personally identifiable or firm sensitive information you have, such as SSNs, payment card information, customer account details.
Assigning that data a risk severity level. For example, an SSN would be high, where a firm’s address that is publicly posted on their website might be at a lower level.
This also includes knowing where that data is stored, i.e. a cloud storage, on premises server, etc.
2. Identify and Assess Risks: Minimize Use
It’s important to reduce the access to PII to only those that need it. One of the tools you can use to do this if you use Office 365 is Sensitivity Labels that allow you to enact access and security protocols based upon labels that are applied to documents and emails.
3. Identify and Assess Risks: Third Party
When sharing sensitive data with third parties, you should ensure they have the proper safeguards in place to protect the data you’re sharing.
If third parties are accessing part of your data infrastructure, such as a chat system like Teams, you should also ensure they don’t have access to data that they shouldn’t. Information Barriers is a way you can control connections within the Teams software.
4. Protect: Information Assets
This includes the protective measures you use to ensure unauthorized parties cannot access protected data. These measures can consist of safeguards such as:
- Good password security or use of a password manager
- Use of an antivirus/anti-malware
- Firewall with advanced threat protection
5. Protect: System Assets
Your system assets include the applications that you use to gather, store, and transmit customer data. This can include programs like a CRM or cloud storage systems like OneDrive.
You want to thoroughly review security settings in these platforms to make sure your data is protected by enacting features such as multi-factor authentication.
6. Protect: Encryption
Is your data being properly encrypted? You should ensure that when PII is shared internally or externally that it is protected in encrypted systems, including your devices and any backup media or cloud platforms.
Remember those fines we mentioned? One was due to data being in an unencrypted environment on a lost laptop.
7. Protect: Employee Devices
Any employee device, computer or mobile, that has access to PII needs to be properly secured with things like passcodes and access tracking mechanisms.
A mobile device management application, like Microsoft Intune gives you the ability to secure and easily manage all employee devices.
8. Protect: Controls and Staff Training
You should have controls in place such as the ability to differentiate between devices that are accessing information.
Employee cybersecurity and compliance awareness training are vital to ensuring your team knows how to properly secure PII as well as how to avoid things like phishing emails that can lead to data breaches.
9. Detect: Penetration Testing
Often hackers build malware that is designed to hide on your system and steal sensitive data without your knowing it. That’s why it’s a good idea to conduct regular third-party penetration testing, which can test your system for vulnerabilities.
10. Detect: Intrusion
Intrusion detection involves using applications, such as next-gen firewalls, that can detect when an intrusion attempt is happening and give you the insight you need to stop attacks, as well as identify how an intruder may have breached your network.
11. Response Plan
In order to successfully respond after a data breach or ransomware infection happens, you need to put a cybersecurity response plan in place. This gives your team a roadmap to execute the immediate steps they need to take to mitigate damage after sensitive information has been exposed.
The formation of an incident response team reduces the cost of a data breach by an average of $360,000.
Having the proper recovery systems in place can make all the difference in how fast your firm bounces back after a data breach and can restore client confidence.
Ensuring you have a reliable cloud-based backup and recovery solution in place is a very important part of business continuity and data recovery.
Ensure Your Data Security Meets FINRA Compliance Guidelines
C Solutions can take the stress out of FINRA compliance by ensuring you have the right cybersecurity measures in place.
Schedule a free compliance consultation today! Call 407-536-8381 or reach us online.