Subscribe to our mailing list

* indicates required







We seek to provide information, insights and direction that may enable the Financial Community to effectively and efficiently operate in a regulatory risk-free environment by curating content from all over the web.


Stay Informed with the latest fanancialish news.





Broker-Dealer Cybersecurity - FINRA Podcast (Part 2 of 3)

July 17, 2017

In the second of a 3-part series on common cybersecurity program deficiencies, Chip Jones, FINRA’s SVP of Member Relations and Education, leads a discussion with Dave Kelley, the Surveillance Director from FINRA's KC District Office, on formalizing the oversight of a firm's cyber program and strengthening controls around access to data and systems. The podcast duration is 6-1/2 minutes.


When formalizing a cybersecurity program, firms should incorporate the following elements:

  • involvement of top management including, where applicable, the board of directors;
  • one person dedicated to organizing the entire program firmwide (in a small firm, that might be the CCO or an outside IT consultant); and,
  • communications between the designated person and top management.


The FINRA Small Firm Cybersecurity Checklist is designed to assist small firms in establishing a cybersecurity program to:

►  identify and assess cybersecurity threats, protect assets from cyber intrusions

►  detect when their systems and assets have been compromised

►  plan for the response when a compromise occurs

►  implement a plan to recover lost, stolen or unavailable assets


To control access to a firm’s data, a firm must have answers to the following questions:

  • How do people get access?
  • How is access taken away when people leave the firm?
  • What type of monitoring is done on an annual basis to know who has access to data?
  • Is the firm’s data stored on an internal server or on a vendor’s remote server?
  • Who, at the firm, has more access to firm data than anyone else, and what is the process for knowing what they’re doing at any/all times?


When it comes to password protection, ... firm’s should require longer and more complex passwords that are changed periodically. Firms should also utilize “multi-factor authentication” for people who access firm data from outside the organization.


NEXT UP - PART 3 -   Vendor Management, Branch Controls, Data Protection.


[Click here to access PART 1 OF 3