This month, FINRA released to publications pertaining to cybersecurity risks at financial firms. The Report on Cybersecurity Practices presents the findings of FINRA's 2014 investigation of cybersecurity issues at financial firms and points out risk management principles and practices to assist firms in decreasing their exposure to cyber threats. The regulatory authority also published Cybersecurity and Your Brokerage Firm, an investor alert designed to "encourage investors to understand a firm's cybersecurity policies and take personal precautions to safeguard their brokerage accounts and personal financial information."
FINRA's 2014 investigation had four purposes: "to better understand the types of threats that firms face; to increase [FINRA's] understanding of firms' risk appetite, exposure and major areas of vulnerabilities in their information technology systems; to better understand firms' approaches to managing these threats; and to share observations and findings with firms." It found that the top three threats that financial firms include "hackers penetrating firm systems; insiders compromising firm or client data; and operational risks."
The Report on Cybersecurity Practices details general principles and useful practices for identifying and managing cybersecurity risks, including "defining a governance framework to support decision making based on risk appetite; ensuring active senior management, and as appropriate to the firm, board-level engagement with cybersecurity issues; identifying frameworks and standards to address cybersecurity; using metrics and thresholds to inform governance processes; dedicating resources to achieve the desired risk posture; and performing cybersecurity risk assessments."
FINRA's investor alert gives guidance to individuals regarding cybersecurity risks, telling investors get accustomed with their firm's cybersecurity practices and policies. Furthermore, the alert states that investors should proactively safeguard their own personal financial information and brokerage accounts, including installing updated firewall and anti-virus programs on personal computers and remembering to formally log out of online account sessions after each login.