The Financial Industry Regulatory Authority (FINRA) is an independent regulatory body monitored by the SEC to manage and protect the financial industry against breaches in regulations that could lead to corruption, fraud or theft. All told, FINRA monitors up to 4,200 brokerage firms up to 75 billion transactions each day.
As part of that mission, FINRA develops and implements a set of compliance requirements that protect financial transactions against theft. This includes several layers of financial best practices as well as cybersecurity measures that protect communications, transactions and data every single day.
Here, we’ll cover the basics of FINRA compliance and what it could mean for your business.
What Are the Requirements for Businesses Under FINRA?
FINRA conducts its own studies and assessments of the financial sector on a regular basis. In general, there are several areas where they typically find a need for improvement:
- Risk Assessment: Risk is incredibly useful, and yet many financial agencies don’t conduct regular cybersecurity risk assessments or mobilize risk management practices in a meaningful way outside of their financial models. Risk in terms of cybersecurity is a completely different beast, and FINRA expects participating businesses to field some form of risk assessment.
- Passwords and Access Management: This category covers several areas. FINRA often finds that organizations don’t effectively manage passwords against theft or breach, nor do they have a formal process to address events like terminating access when an employee leaves.
- Auditing and Logging: Again, while logging is typically in place for events related to financial transactions, many organizations still need to play catch up when it comes to maintaining immutable logs and audit trails for security events like system access, privileged user events, and so on.
- Managing Vendors: FINRA compliance requires that third-party vendors handling relevant data also maintain compliance, and it is up to primary institutions to ensure that they are.
With those items in mind, FINRA compliance revolves around a firm’s ability to maintain data integrity, confidentiality and availability. Overall, FINRA compliance audits will ascertain how well your company follows specific SEC cybersecurity regulations.
FINRA will conduct annual audits that include the following steps:
- Background: Your organization will provide pre-inspection documentation through the FINRA Firm Gateway portal FINRA will conduct an examination of these documents before and during on-site inspections.
- On-Site Exam: FINRA representatives will conduct an assessment of your building, including interviews with company leadership and compliance officers. Using the background documents as a way to shape strategy, FINRA will then use that strategy to drill down into your organization. At this point, your employees will be expected to cooperate with auditors.
- Exit: A concluding meeting will end the audit, where FINRA representatives will discuss findings, necessary remediation and recommendations for improvement.
- Examination Report: After the concluding meeting, FINRA will provide the CEO of your company with an examination report which, if deemed necessary, will require a response letter outlining corrective actions for remediation.
Best Practices for FINRA Cybersecurity Compliance
Before, during and after your audit, it’s imperative that you are ready to comply with specific regulations or remediate systems and practices to do so. These regulations and best practices include:
- Implementing measures against identity theft. Federal Regulations S-ID state that a financial institution or creditor that offers covered accounts (like investment, credit or savings account) must have written and documented Identity Theft Prevention Programs that can “detect, prevent and mitigate identity theft”.
- Developing written policies for the protection of customer information. Federal Regulations S-P outline technical, physical and administrative safeguards that serve to protect customer records. This includes ensuring confidentiality, data integrity and protection against unauthorized use.
- Adhere to the Securities Exchange Act of 1934. This act, specifically section 240.17a-4, states that a financial institution must have in place methods for storing customer data for a specific amount of time, depending on the application, customer data. This also defines how accessible that data must be within the company and to customers.
These regulations take on several different connotations depending on the context (especially #3). In modern terms, typical compliance applies to common cybersecurity practices that most businesses handling user data should adhere to:
- Implementing encryption algorithms for data at-rest and in-transit. Typically, this means AES-256 encryption for data at-rest and TLS 1.2 or higher encryption for data in-transit.
- Using clear audit logging and reporting for customer interactions, security events and other practices that provide forensic information of system information. This can often be found in a Security Event Information Management (SIEM) system.
- Have clearly documented and regularly updated security policies in place to cover threat and risk assessment, remediation and administrative policies (including training and continuing education) that protect the confidentiality of data.
- Maintain copies and records of written agreements of all security incidents and financial transactions, with a reliable and secure method of storage and transmission so all data is both protected and accessible.
- Have systems in place to gauge red flags for identity theft, including breaks between customer address and purchase location, sudden changes in customer address and other potential threat events. Additionally, a theft prevention program must include detailed responsibilities for how the organization responds to incidents of theft.
Some of the more common facets of your IT system that you will need to contend with include:
- Email and Phishing: Phishing is a common attack across multiple industries, and finance is no exception. To maintain compliance, you should have policies in place to prevent and respond to phishing attacks as they occur.
- Insider Threats: Employees can breach sensitive systems and compromise the security and confidentiality of customer data. Regular audits, training and prevention efforts must be in place to prevent unauthorized access to data as well as mitigating the impact of insider threats as they occur.
- Endpoint Security: Internal security won’t cover mobile devices, and in a world where remote work is more common, it’s critical that you have policies in place that dictate how employees can use mobile devices and access critical systems.
- Technical Security: Traditional attacks on public-facing systems will fly under the radar if you don’t stay up to date on modern threats. Regular penetration testing can help you stay current on these threats and how to harden your systems against them.
FINRA Compliance and Auditing With Lazarus Alliance
Preparing for a FINRA, SEC or other finance industry audit can be a huge undertaking. Reporting, audits and remediation can take weeks or months of time, and when they happen annually the simple act of compliance becomes a full-time job.
Working with Lazarus Alliance can streamline that task. We can automate FINRA and SEC audits so that what might take weeks or months might only take days. Furthermore, we are a cybersecurity-first organization: unlike financial firms that include security services, we can bring decades of collective security experience to your company to ensure you can meet your regulatory obligations.