FINRA penetration testing

2024-10-10

Shreeram Gudemaranahalli Subramanya

Penetration Testing for FINRA

Financial Industry Regulatory Authority (FINRA), a not-for-profit organization that regulates broker-dealers and their personnel in the United States, plays a pivotal role in providing guidance on best practices for financial firms to protect their systems and data. In 2024, FINRA published a report that examines and provides recommendations to member firms with rich insight into findings from its Member Supervision, Market Regulation and Enforcement program. These guidelines and recommendations provide greater transparency to member firms and the public about regulatory and compliance activities. While FINRA itself does not prescribe a specific penetration testing (pentesting) requirement, firms must adhere to general cyber security standards as part of their compliance obligations under FINRA Rule 4370 (Business Continuity Plans) and FINRA Rule 3110 (Supervision). With financial firms facing persistent threats of phishing, insider threat activities, and common vulnerabilities due to branch office controls, it is important for firms to maintain a strong cyber security framework capable of deploying vigilant and robust defensive and proactive measures.

Why Penetration Testing is Crucial for Financial Firms and Why FINRA Recommends It

Cyber security is a major challenge for every company and individuals alike, and it is definitely a big challenge for those in the financial industry, as they are not only prone to the firm's data risk, but also to customers' data, and sometimes even their life savings. Yolanda Trotman -an examination director in the regulatory review group in New York, and Steve Palansky - Senior Director of FINRA's Member Supervision department speaks about the insider threat landscape, and emphasizing on concepts such as SIEM (Security Information and Event Management) and Pentesting (Penetration testing).

During an interview with FINRA panelists, Yolanda highlighted the critical importance of maintaining continuous security policies and integrating Identity and Access Management (IAM) systems She also delves deep, by explaining key process such as the use of SIEM tool, which she defines as "software products and services that provide real-time analysis of security alerts, that are generated by applications and network hardware," underscoring the use of security tools for proactively identifying and mitigating potential threats. “These tools collect, aggregate and correlate log information from numerous sources within the firm's systems and network some of which include firewalls intrusion detection and prevention systems servers as well as network devices”. While penetration testing is not a mandatory requirement for member firms, FINRA strongly advocates for its inclusion in a robust cyber security program. Pentesting is a highly recommended practice due to its ability to proactively identify vulnerabilities in a firm’s systems.

In the Report on Selected Cyber security Practices by FINRA, it emphasizes the relevance of penetration testing, stating: "The utility of pen tests is less a function of firm size, and much more a function of a firm's business model and technology infrastructure. For example, pentests are highly relevant to firms that provide online access to customer accounts.

Protection Against Cyber Threats: Financial firms face persistent phishing attacks which exploits human vulnerabilities to gain unauthorized access to sensitive systems and data, and insider threats further compound this risk by introducing potential vulnerabilities from within an organization. Yolanda explains that these insiders are “individuals who currently have or previously had authorized access to firm systems and data because of their job function or role”. In addition there are more vulnerabilities through mobile devices security and branch office controls which holistically brings about a significant concern. As these financial firms generally have multiple branches, there are scenarios where some branches that are away from the home branch, employ an independent contractor model. Here they end up buying and installing their own equipment and software, putting all their own controls in place. So while, the home office usually doesn't have a whole lot to do with what's going on at those branch locations, it does become a major concern with regards to security where a strong frameworks is required for monitoring technical controls, maintaining asset inventories and employing a policy just for these branches as to what they should be thinking about to maintain compliance. Brita Bayatmakou, Senior Director of FINRA’s National Cause and Financial Crimes Detection Program leading the Cyber and Analytics unit also highlights the significance of proactively addressing these risks. "It's really critical that we ensure we're keeping pace with trends and it’s important that we establish a team like this, bringing it together to proactively detect and address those threats that we see across the cyber discipline".

Compliance and Regulatory Requirements: Compliance with regulatory requirements is a top priority for financial firms, and penetration testing plays a pivotal role in ensuring adherence to these mandates. FINRA, the Securities and Exchange Commission (SEC), and other regulatory bodies require financial firms to implement comprehensive cyber security frameworks. This includes regular testing of systems and controls to ensure they are effective in preventing breaches.

Penetration testing aligns with several key regulatory requirements, including the need for robust risk assessments and the identification of security vulnerabilities. Failing to comply with these requirements can result in substantial fines, increased scrutiny, and a loss of customer trust. By conducting regular penetration testing, firms can demonstrate a proactive commitment towards compliance and the security of customer data. This not only satisfies regulatory requirements but can also help firms avoid the financial and reputation damage associated with data breaches and cyber attacks.

Integration with Overall Cyber security Program:

FINRA emphasizes that penetration testing should not stand alone but be part of a broader, cohesive program. In the panel Steve mentions that in addition to penetration testing, few key elements need to be considered and followed up on during the remediation process:

Patch management
Secure system configuration
Identity and access management
Vulnerability scanning
Endpoint malware protection
Email and browser protection
Security awareness training

Considerations for Firms:

Does the firm conduct regular penetration tests and vulnerability scans to identify potential cyber-security weaknesses?
How does the firm determine the scope and frequency of such tests?
What process does the firm use to address any vulnerabilities identified through these tests?

Conclusion: Although FINRA does not mandate penetration testing, they strongly encourage firms to incorporate it into their cybersecurity programs, especially those handling sensitive data or providing online services to customers. By following FINRA's guidance on effective practices, financial firms can enhance their security posture and better protect themselves and their clients from evolving cyber threats.

Financial firms should consult FINRA's cybersecurity resources and consider their specific risk profile when determining the appropriate approach to penetration testing and overall cyber-security measures.

Sources: