Cyberattacks have escalated at an alarming rate in the last few years. In its recent Cybersecurity Conference, FINRA (Financial Industry Regulatory Authority) discussed the increase of cyber incidents handled by the Cybersecurity Specialist Team. In 2019, there were approximately 20 attacks. In 2021, there were 200. That’s a 900% increase in attacks in just two years.
At the conference, it was emphasized that the cyber threat landscape has grown increasingly sophisticated, complex, and harmful to our [US] national and economic security. Smarsh has previously discussed SEC’s (US Securities and Exchange Commission) proposed rules and alerts for cybersecurity risk management, and it should be clear that financial services firms must make cybersecurity a top priority.
FINRA also noted the following trends from the last year:
- Increased trading volume
- Increased number of imposter websites
- More ransomware infections
- Greater number of customer and firm account takeovers
- More digital currency/asset fraud schemes
Watch on-demand webinar: How New Cyber Regulations Will Impact Remote Advisors.
- How should financial services respond?
The financial services industry has been increasing its dependency on digital connections — especially as more companies commit to hybrid work. As the value of the data in those digital communications increased, cyber criminals’ desire to access that data has expanded, and they are constantly modernizing their attacks.
Firms need to consider the following:
- Whether they will continue to allow remote or hybrid work
- BYOD policies for mobile devices
- The ongoing introduction of new collaboration tools
- Reliance on mobile and cloud technology
While the pandemic pushed firms into allowing more of the above activities for business continuity reasons, firms need to shift gears and be more thoughtful in how they integrate these practices into their communication strategies. FINRA advises firms to ask themselves:
- What security controls have we put into place regarding these activities, such as remote access, virtual private networks, and multifactor identification?
- Have we reviewed our policies and procedures to make sure we’re capturing any new activities?
- Have we increased our security training and awareness programs to reflect new activities?
Also, firms need to think about their basic data protection hygiene:
- Make sure information is encrypted at rest and in transit
- Make sure encryption certificates are current
- Consider leveraging data protection tools (e.g., ADR tools)
- If using cloud technologies, consider data loss prevention capabilities
- Create an incident response strategy
In FINRA’s 2022 Exam Priorities Report, it was noted that effective cybersecurity practices should include incident response planning. Below are some insights regarding possible best practices from the conference.
Incident response plan
Make sure your cybersecurity program includes a clear incident response plan (written documentation) that implements measures to detect, respond to, and recover from a cybersecurity incident.
Include incident response training as part of your policies and procedures. One suggestion at the conference was to routinely run through scenarios with employees to identify issues and provide more robust insights into how you can improve your response plan. Another great suggestion was to make sure you maintain a paper copy of your incident response plan and key contact information so that you have it should your computer access be down.
We’ve all probably heard by now that most cyberattacks originate with internal employees. Firms can implement policies and procedures and conduct extensive training, but employees are still emotionally susceptible to cyberattacks.
It’s important to consider how emotions and behaviors can play into cyberattacks. Attacks often include elements that make you feel pressured or intimidated to get you to perform prohibited actions. One panelist suggested adding a training element to address emotional triggers and implementing escalation procedures to bring in an outside perspective when these triggers occur.
Watch our on-demand webinar: Streamlining Third-Party Risk Management.
- Develop trusted vendor partnerships
It’s crucial for firms to collaborate with their IT vendors to understand how their technology solutions are used and what controls are in place. It is important to fully understand the risks associated with these relationships so that business conversations have the appropriate risk context during decision-making.
Collaboration tools in particular have sensitive data that’s being transmitted or stored. Consider implementing formal policies and procedures that review and reassess a vendor’s cybersecurity controls.
- Cybersecurity needs to be top of mind
During an era when cyberattacks continue to climb, firms are creating, using and archiving more data than ever. There’s no conflicting message among regulators. Both the SEC and FINRA are emphasizing the increase of attacks and stressing the importance of cybersecurity. Firms must monitor for threats and breaches on their technology infrastructure holistically — including third-party vendors.
Protect your organization with this unified cybersecurity and compliance platform. LEARN MORE:
Source: Smarsh – Author: Tiffany Magri
About the author:
Tiffany Magri – Regulatory Advisor at Smarsh
As a Regulatory Advisor at Smarsh, Tiffany monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.
LS Consultancy offer a complete solution with a range of cost effective, regulatory compliance and marketing products and solutions including copy advice and copy development which are uniquely suited to supporting firms.
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.
You can see our Google reviews here.
We’re looking for guest writers with business know-how and experience to create outstanding articles to feature on our website. Sound like you? Then find out more…