Financial services that cover individual investments, pension and profit sharing plans, trusts and estates are regulated by the Financial Industry Regulatory Authority. Even just the acronym FINRA is enough to make investment specialists shake their heads in frustration. There are so many rules and guidelines.

However, these same firms, even the small to mid-sized ones are prime targets for cyber attacks so it is a good thing that the key element of compliance with government regulations and industry standards is security. Not only does FINRA drive home the message about the importance of cyber security, it provides information that can help financial services assess their risk and determine a security strategy.

FINRA has actually produced a Report on Cybersecurity Practices, a practical response to their survey of financial brokers and advisors that found 80% of them had been the object of a cyber attack. The purpose of the report is not to fear monger but to provide evidence-based information about security risks and ideas for mitigating or eliminating them. Each section highlights “Principles and Effective Practices”.

The bottom line is that financial services firms of all sizes and business models need to understand their vulnerability to attacks and who might come after them. Only when they recognize the threat can they plan and implement an effective cybersecurity strategy.

The main steps to take are:

• Establish governance for cybersecurity and risk management.

Whether it is the owner of a small financial service or the executive of a large corporation, senior management must be involved in determining the policies and controls for effective cybersecurity. This includes allocating sufficient resources to perform risk assessments, deploy appropriate business tools and provide ongoing support to the security practices. In other words, they need to accept responsibility and be accountable for ensuring a successful security program.

• Conduct risk assessment for cyber threats.

A risk assessment is not a one time event. Regular reviews of both external and internal threats are needed as personnel change, technology changes and fresh opportunities are presented to hackers. After vulnerabilities are identified, they need to be prioritized before a plan is developed.

• Develop and implement a cybersecurity plan.

Work through three main steps:

• Design an IT system that meets the needs of the risk assessment
• Deploy protective technology with polices and procedures in place and users well trained
• Manage the system with ongoing monitoring in order to respond to incidents, provide threat analytics, manage access, apps and devices, and submit reports

Small to mid-sized financial services firms will find it is usually most useful to have an objective third party conduct a risk assessment. They will also quickly realize it is cost effective and more efficient to engage a Managed Services Provider for looking after all the IT systems on an ongoing basis. Using such a service frees up their IT person to focus on creative technology that boosts the bottom line, instead of spending time on routine maintenance.

Yes, FINRA is a regulatory body and they do insist on compliance around data security. However, they are also there to help as everyone in the business has the same goal of ensuring integrity in all transactions.

For assistance in conducting a risk assessment and implementing an effective cybersecurity plan, contact the specialists at Digital6 Technologies now.