By Howard Haykin

BRANCH CONTROLS

FINRA has observed that some firms find it challenging to maintain effective cybersecurity controls at their branch and non-branch locations. “Out of sight/out of mind,” is a common refrain, while other firms cite increased challenges, like …

• their branches purchase their own assets, or use non-approved vendors, or don’t follow the firms’ software patching and upgrade protocols; or,
• registered reps work from home using ineffective or outdated networking safeguards.

Whatever the reason or issue, FINRA offers some take aways that might help.

I.  BRANCH-LEVEL WSPS.    Although most firms have developed WSPs addressing cybersecurity controls, branch offices often have less developed cybersecurity controls in comparison to the home office. Here are some effective practices firm may want to implement:

• Develop branch-level WSPs and other comprehensive guidance on cybersecurity controls and distribute them to all branches;
• Distribute alerts, notifications on emerging cybersecurity issues to both home office employees and branch representatives;
• Designate responsibility for a branch’s cybersecurity controls to a branch office supervisor or staff member;
• Provide branches with a list of required and recommended hardware and software options and settings, as well as approved vendors;
• Mandate that branch personnel notify branch management of, and properly respond to, violations of firm cybersecurity standards or material cybersecurity incidents involving loss of confidentiality, availability or integrity of customer personally identifiable information (PII) or sensitive firm data (see Sections 11 and 12 of FINRA’s Small Firm Cybersecurity Checklist); and,
• Mandate that cybersecurity policies are included in the Annual Compliance Questionnaires to which registered reps must attest.
• Require branch staff and registered reps to complete regularly-scheduled cybersecurity training, in addition to their required CE programs.

II.  ASSET INVENTORY.    Asset inventories are a key element of any firm’s cybersecurity program, especially where branches’ autonomy may make it difficult for firms to know the scope of assets they need to protect. When used in conjunction with a cybersecurity risk assessment, an asset inventory can serve as a starting point to identify critical assets and their vulnerability to attack, as well as appropriate policy, technical and physical controls to mitigate those risks. Here are some effective practices firm may want to implement:

• Require branches to perform initial and recurring inventories of branch assets and update the firm regarding any changes;
• Identify sensitive customer and firm information and the location(s) where such information is stored;
• Ensure the physical security of branch assets;
• Establish processes by which branches manage and report lost or stolen assets;
• Provide secured asset disposal, such as destroying hard drives of computers no longer in use; and,
• Ensure branch operating systems are properly supported and maintained either by the firm or by vendors.

III.  TECHNICAL CONTROLS.    Firms can use a cybersecurity risk assessment to determine which threats are most significant for each branch and, then, identify and implement appropriate technical (and other) controls to mitigate those threats. Here are some effective practices firm may want to implement:

• Develop identity and access management protocols for registered reps and other staff, including managing the granting, maintenance and termination of access to firm and customer data;
• Limit registered reps’ access to only their own customers’ data and related exception reports;
• Set minimum password requirements and multi-factor authentication for access to firm systems and applications by firm employees, registered reps, vendors, contractors and other insiders;

►   Prohibit the sharing of passwords among firm staff;

• Prohibit the storage of sensitive customer or firm data in unapproved or prohibited locations - e.g., a file server, cloud provider or thumb drive and without encryption or transmitted without encryption;
• Establish minimum encryption standards for all branch hardware used to access firm systems, including laptops, desktops, servers, mobile devices and removable media devices;

►   Require branches to adhere to minimum encryption standards (and provide technical tools to enforce that standard) for data-in-transit, such as emails and file transfers that include customer PII or sensitive information;

►   Ensure branches use only secure, encrypted wireless settings for office and home networks;

• Maintain regular patching, anti-virus protection, anti-malware and operating system updates for all branch computers and servers that access firm data in a manner that is consistent with firm, vendor and industry standards;
• Develop physical security protocols for all portable devices used to access firm data and systems, including laptops and mobile devices;
• Mandate all branch vendors (including cloud providers) meet firm security requirements, especially if firm data or other sensitive information will be accessed or maintained by the vendor; and,
• Create processes and select firm-approved vendors for the secure disposal of hard copy records and firm computer hardware - e.g., hardware listed in the firm’s inventory - that may contain sensitive information.