Financial industry executives have a unique responsibility to protect investors and proprietary firm information from compromise.
The notion of cybersecurity as an IT department issue has long since been re-assessed by securities firms and the topic is now taken into the board room. Discussions include much more than security of networks, systems, applications, and data; but cover a whole gamut of “what if” scenarios, company policy, and risk reducing strategy.
For FINRA (Financial Industry Regulatory Authority), cybersecurity protection measures include a broad swipe approach that covers compromise through use of any electronic digital media (e.g. computers, mobile devices, Internet based systems, ipads, software solution providers). And, no matter how much of the cybersecurity task is outsourced to IT professionals, the ultimate responsibility lands on the shoulders of each firms executive leadership. For this reason Cybersecurity practices have taken a front and center seat in board room discussions that reach past IT to operations, sales, vendors, and anyone else with access to electronic company data.
FINRA: Core Components of the Cybersecurity Plan
Cybersecurity Governance and Risk Management
Establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, process and structures coupled with relevant controls tailored to the nature of the cybersecurity risks the firm faces and the resources coupled with relevant controls tailored to the nature of the cybersecurity risks the firm faces and the resources the firm has available.
Cybersecurity Risk Assessment
A systematic process of identifying and analyzing potential dangers or risks to a firms business that could arise through its information technology system. Conduct regular assessments to identify new cybersecurity risks associated with the firms’ assets and vendors. Prioritize threats and create a remediation plan.
Select specific controls based upon individual firm circumstances such as; e-trading platforms, branch office needs, off-site salesforce. Set procedure checklists that outline for the firm when and how to implement technical controls. Protect firm software and hardware that stores and processes data, as well as the data itself.
Incident response planning
The primary objective of an incident response plan is to provide a framework for managing a cyber attack or hack event in a way that; limits damage, captures confidence of internal and external stakeholders, and reduces recovery time and costs.
Develop policies and procedures, as well as roles and responsibilities of (who does what and when), for escalating and responding to a cyber-security breach.
Vendors can also be a significant source of cyber-security risk. Use a risk-based approach to vendor management by performing pre-contract due diligence, establishing minimum standards for ensuring security of shared, information, limiting staff access, and regularly testing security measures for system failure.
Employees are a vulnerable source of attack for most firms. FINRA found that many successful cybersecurity attacks were identified as employee error or mistake. Take a strong stand to prevent employees from inadvertently downloading malware. Train staff on trending cyber threats like phishing (fake sites designed to look like the real one in hopes of stealing information or identity).
Employees are also found to be a source of insider cyber attacks, stealing proprietary company records or planting spyware and virus software on computers. Limiting employee access and security levels, as well as keeping secure log in records and tracking what employees are doing can help minimize risk or identify a breach early.
Cyber intelligence | Information sharing
Improve the firm’s ability to identify, detect, and respond to cybersecurity threats by assigning responsibility for cybersecurity intelligence and analysis. Establish protocols to distribute threat trends to operations and sales staff. Evaluate threats from a tactical and strategic perspective. Adopt a cyber-secure corporate culture and encourage employees monitor their work environment for threats.
The cyber liability insurance market is expected to grow dramatically in coming years. Cyber insurance firms these days are on top of activities and weaknesses that cause business disruption. They can help identify potential hazards and provide training to help the firm and staff stay on top of trends. If an attack does occur, the insurance company will help cover financial losses due to theft, reputation, destruction, and more. Review minimum standards for insurance coverage to determine if adequate protection is in place. Evaluate using cyber insurance as a way to transfer some risk.
Download the Executive Action Steps