Subscribe to our mailing list

* indicates required







We seek to provide information, insights and direction that may enable the Financial Community to effectively and efficiently operate in a regulatory risk-free environment by curating content from all over the web.


Stay Informed with the latest fanancialish news.





B/D Cybersecurity - FINRA Podcast (Last of 3 Parts)

July 25, 2017

by Howard Haykin


In this third and last of a 3-part series on common cybersecurity program deficiencies, Chip Jones, FINRA’s SVP of Member Relations and Education, leads a discussion with Dave Kelley, the Surveillance Director from FINRA's KC District Office, on formalizing the oversight of a firm's cyber program and strengthening controls around access to data and systems. The podcast duration is 7-1/2 minutes.


VENDOR MANAGEMENT AS IT RELATES TO CYBERSECURITY.    These days, every firm – large or small – uses a vendor for something, and those vendors often have access to firm data. Therefore, before engaging with those vendors:


  • Before engaging a vendor: (i) know how the vendor is going to protect firm data; (ii) know who at the vendor will have access to your firm’s data; (iii) design controls that will monitor data protection; (iv) incorporate all this information in the contract with the vendor.


  • After the vendor has been engaged, verify on an ongoing basis that the designated controls are in place and are working.


  • After the vendor completes its assignment and departs, ascertain (to whatever extent is possible) that the vendor has deleted any firm data from its computers and storage facilities.


EFFECTIVE CYBERSECURITY CONTROLS AT BRANCHES.    Branch offices of a broker-dealer may be responsible for buying their own hardware and setting up security. Here’s what FINRA likes to see, with respect to branch cybersecurity:


  • Firms should require having a training program in place to instruct new personnel so that they understand firm controls and expectations.


  • Firms should have processes that monitor what’s happening at branch offices. This can be accomplished with: (i) branch inspections; and/or (ii) software installed on computers at those locations that monitor such controls as encryption and virus protection.


  • Annual training for all associated persons.


REMOVABLE MEDIA.    For such devices as CDs and thumb drives, FINRA looks to see that firms have controls in place to prevent inadvertent or purposeful downloading of firm data.


[Click here to access PART 1 OF 3

[Click here to access PART 2 OF 3